Is azep-ninja/quickintel-scan safe?
https://github.com/openclaw/skills/tree/main/skills/azep-ninja/quickintel-scan
The quickintel-scan skill is a well-documented, legitimate cryptocurrency token security scanner that correctly identifies itself as a paid service ($0.03 USDC/scan via the x402 protocol). The skill package contains only markdown documentation — no executable code, no npm scripts, no git hooks, and no unexpected network activity was observed during installation. Primary residual risks are financial rather than technical: the broad trigger phrases enable autonomous micropayment initiation without explicit per-scan user confirmation, and the skill's positioning as a gating signal for trading decisions creates a supply-chain dependency on Quick Intel's API integrity.
Category Scores
Findings (7)
LOW Autonomous payment initiation on trigger phrases -7 ▶
The skill's description registers broad trigger phrases ('is this token safe', 'safe to buy', 'rug pull check', etc.) that will cause an agent to autonomously execute the x402 payment flow — debiting $0.03 USDC from the agent wallet — without requiring explicit per-invocation user confirmation. A user casually discussing token safety could inadvertently trigger paid scans.
LOW Skill chaining encourages financial automation pipeline -5 ▶
The Cross-Reference section explicitly directs agents to the 'tator-trade' skill for post-scan trading and 'token-launcher' for launches. While the references are informational, they establish a canonical workflow that pipelines scan verdicts into live on-chain transactions, increasing the blast radius of any scan result manipulation.
LOW EIP-3009 payment authorization transmitted to third-party endpoint -10 ▶
Every scan requires the agent to sign and transmit an EIP-3009 TransferWithAuthorization (wallet address, payTo address, USDC amount, validity window, nonce) to x402.quickintel.io. While this is the intended payment mechanism and the service appears legitimate, it means the agent's wallet address and payment capabilities are disclosed to an external party on every invocation.
INFO Documentation examples reference environment variable private key access -3 ▶
Multiple integration patterns show process.env.PRIVATE_KEY and process.env.SOLANA_PRIVATE_KEY as the wallet key source. An agent that interprets these examples as literal instructions and has access to environment variables could expose private keys through the integration pattern rather than a secure wallet abstraction. This is documentation, not executable code, but increases risk when agents with shell access follow these patterns directly.
INFO Canary file reads detected during monitoring window -6 ▶
The audit monitoring detected read-only opens of .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at 04:13:13 (before skill install) and 04:13:32 (after install completes). Timing, CLOSE_NOWRITE flags, and correlation with audit system lifecycle events strongly indicate these are oathe audit-system baseline and integrity reads rather than skill-triggered reconnaissance. No content exfiltration was confirmed.
MEDIUM Recurring micropayment drain risk -15 ▶
The skill charges $0.03 USDC per scan with no built-in rate limiting or user approval gate. An adversary who can trigger scan invocations at scale (e.g., by mentioning many token addresses in conversation), or a misconfigured agent loop, could drain an agent wallet. The payment-identifier idempotency feature mitigates retry risk but does not address bulk invocation.
LOW Third-party scan verdict dependency for financial decisions -5 ▶
The skill positions Quick Intel scan results as the authoritative gating signal before token trades. If Quick Intel's API is unavailable, returns stale data, or is subject to BGP/DNS hijacking, agents following the skill's guidance could make financial decisions based on false security verdicts. The skill does recommend cross-referencing block explorers but this advisory is easy to skip in automated flows.