Is chrisciszak/boiling-point safe?

The skill enables agents to execute signed blockchain transactions on Base mainnet using the user's actual USDC and ETH holdings. Blockchain transactions are irreversible by design. Agent misinterpretation, adversarial prompting, or API errors could result in permanent financial loss. The skill targets a highly speculative asset class (AI/meme tokens on a bonding curve launchpad) with no investor protections.

The skill hardcodes builder address 0x56926EbCd7E49b84037D50cFCE5C5C3fD0844E7E in all token creation and trade examples. The Token Layer platform uses this to attribute volume, enabling builders to earn platform rewards, fee-share, or preferential treatment. Users are not informed that every transaction they execute benefits the skill author through this attribution. The 'fee: 0' in examples does not preclude server-side platform rewards accruing to the builder.

The skill's clawdbot metadata sets disableModelInvocation to true. In the OpenClaw framework this suppresses the model-layer invocation check, meaning the agent may proceed with financial transaction construction and execution without the full reasoning layer evaluating risk, intent alignment, or potential harm. This is particularly concerning in a skill that manages real funds.

The skill provides a complete end-to-end workflow: create a token, receive its tokenId, immediately buy it with the trade-token endpoint. In automated or multi-agent deployments, this pattern enables creating a token at bonding curve launch price and immediately holding a position before any organic buyers, then promoting the token to drive price appreciation. The documented anti-sniping mechanism reveals awareness of and accommodation for MEV-style frontrunning behavior.

Every API interaction transmits sensitive financial data — wallet addresses, USDC/ETH balances, token holdings, transaction history, and fee earnings — to api.tokenlayer.network. This creates a comprehensive financial profile of the user stored in a third-party system the user cannot audit, control, or delete. The /get-user-portfolio, /me, and /get-user-fees endpoints are particularly sensitive.

The skill recommends applying referral code 'OPENCLAW' as an optional but featured step, claiming users receive 4% cashback. Referral systems typically reward both the referred user and the referrer. It is not disclosed who registered the OPENCLAW code or whether the skill author, platform operator, or a third party receives the referral benefit. This is a low-severity financial steering concern rather than a security threat.

The skill installation connected only to github.com (skill repo clone via HTTPS) and Ubuntu apt repositories (routine package list update). No connections were made to api.tokenlayer.network, no unexpected processes were spawned, and no files were written outside the skill directory. The installation process was consistent with a passive markdown-only skill.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed only by the Oathe audit framework for setup and verification — no exfiltration to external endpoints was detected. The skill has no mechanism to read filesystem credentials and made no attempt to do so.