Safety Report

SUPAH Whale Tracker

Name: SUPAH Whale Tracker
Author: supah-based

Real-time whale activity monitoring and smart money following for Base blockchain. Track large transactions, wallet accumulation patterns, and smart money fl...

199Downloads

1Installs

0Stars

4Versions

Monitoring & Logging3,640 Finance & Accounting3,023

Security Analysis

medium confidence

Clean0.08 risk

The skill’s code and runtime instructions are consistent with a Base-chain whale-tracking agent that talks to api.supah.ai and charges x402 micropayments; a few small mismatches (see below) deserve review but nothing indicates malicious intent.

Mar 22, 20264 files2 concerns

Purpose & Capabilitynote

The name/description match the code and SKILL.md: the skill queries a SUPAH API for whale data. However, registry/SKILL.md list 'curl' as a required binary even though the included code uses Node's https module and does not call curl, and SUPAH_API_BASE is declared required despite index.js providing a harmless default. These are inconsistencies but plausibly harmless (documentation drift).

Instruction Scopeok

SKILL.md instructs the agent to query SUPAH's API and explains x402 micropayments; the included index.js only makes HTTPS GETs (JSON) to the SUPAH API host and prints results. The instructions do not ask the agent to read unrelated files, credentials, or system paths, nor to send data to unexpected third parties.

Install Mechanismok

No install spec; this is instruction-only with an included CLI script. There are no download URLs or extract steps in the skill manifest. The README contains an example install URL (tools.supah.ai) but that URL is not used by the skill package itself.

Credentialsnote

The only declared env var is SUPAH_API_BASE (non-secret base URL). The skill does not request tokens, keys, or unrelated credentials. Note: SUPAH_API_BASE is declared required but the code uses a default value if it's absent. The SKILL metadata also embeds an x402 payTo address — normal for a paid API but means calls will incur on-chain micropayments which users should expect.

Persistence & Privilegeok

always is false and the skill does not modify other skills or system configuration. Autonomous invocation is allowed (platform default), which is expected for this type of skill.

Guidance

This skill appears to do what it says: it queries SUPAH's API (api.supah.ai) for whale data and expects x402 micropayments to a listed Base address. Before installing, verify the publisher and the payTo address (0xD3B2eCfe77780bFfDFA356B70DC190C914521761) are legitimate for SUPAH, and confirm you accept automated x402 micropayments (small USDC charges). Note the minor inconsistencies: SKILL.md/registry claim curl is required though the included code uses Node only, and SUPAH_API_BASE is marked required even though the code has a default. Those look like documentation drift rather than functional red flags, but if you need high assurance, ask the publisher for source/origin verification (the manifest lists a GitHub repo and a README install URL) and run the skill in a sandboxed environment first to confirm billing behavior.

Latest Release

v1.3.0

Removed all API key references, free tiers, subscription pricing. x402 only.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @supah-based on ClawHub