← Back to Skills Marketplace
Token Approval Checker
by
liusanhong
· GitHub ↗
· v1.0.1
359
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install token-approval-checker
Description
钱包授权管理工具,检查 ERC20/ERC721 代币授权风险,识别无限授权和高风险授权。每次调用收取 0.001 USDT。当用户提到"检查授权"、"撤销授权"、"Token Approval"、"高风险授权"、"MetaMask授权"时使用。Wallet authorization management to...
Usage Guidance
Do not install or enable this skill until the following are resolved: (1) The hard-coded billing API key must be removed from the SKILL.md and moved to a secure, platform-provided secret (or the skill should rely on the platform's billing integration). (2) The vendor/source must be identified and verified (skill has unknown source and no homepage). (3) Request the complete implementation: where checkWalletApprovals is implemented, how revoke operations are performed, and what dependencies are required (ethers.js, node fetch). (4) Confirm the billing provider (skillpay.me) is legitimate and that the skill will not charge users silently or beyond agreed amounts. (5) Never provide private wallet keys; confirm the skill only needs a public wallet address and does not request signing keys. If the author cannot or will not provide a clean, auditable implementation and remove embedded secrets, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: token-approval-checker
Version: 1.0.1
The skill bundle contains a hardcoded API key ('BILLING_API_KEY') within the SKILL.md file, which is a significant security vulnerability (leaked credential). It implements a custom billing logic via 'skillpay.me' and instructs the AI agent to charge users 0.001 USDT per call for information that is primarily available for free via the linked official block explorers (e.g., Etherscan, BscScan). While no direct evidence of data theft was found, the combination of hardcoded secrets and a pay-per-use model for free public tools is highly irregular.
Capability Assessment
Purpose & Capability
The skill claims only to check/manage wallet token approvals, which could legitimately include charging for the service — but the SKILL.md embeds a SkillPay billing integration (charging 0.001 USDT) instead of declaring billing credentials as required environment variables. The file also references external services (skillpay.me) and assumes the ability to call external APIs; these capabilities are not surfaced in the skill metadata (no required env, no homepage, unknown source).
Instruction Scope
SKILL.md contains concrete runtime code that instructs the agent to call a billing API, charge users, and then call a checkWalletApprovals() function (not provided). It also includes example revoke code using ethers.js. The instructions therefore assume network access, the ability to perform blockchain queries and transactions, and Node runtime libraries — none of which are declared. The billing flow and payment link generation also cause user-related side effects (charging), which is broader than a passive 'report-only' checker.
Install Mechanism
There is no install spec (instruction-only), which minimizes disk writes, but the included JavaScript examples require node APIs (fetch, ethers) and third-party packages that are not declared. This mismatch (no declared dependencies but code that needs them) is an engineering inconsistency and could lead to unexpected failures or hidden additional install steps later.
Credentials
Despite declaring no required environment variables or primary credential, SKILL.md hard-codes an API key (BILLING_API_KEY = 'sk_b82c6...') for the external billing service. Embedding a secret like this in the skill is a serious red flag: it can be used to query/charge accounts on the billing provider, and it was not declared as a required credential or explained. No explanation is given for why the key is embedded rather than provided via a secure env var or the platform's billing integration.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or elevated platform privileges in the metadata. It is user-invocable and allows autonomous invocation (platform default), which is normal. There is no evidence in the metadata that the skill modifies other skills or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install token-approval-checker - After installation, invoke the skill by name or use
/token-approval-checker - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Updated SkillPay billing integration with correct API format and SKILL_ID
v1.0.0
- Initial release of Token Approval Checker.
- Check ERC20/ERC721 token approval risks across major EVM chains.
- Identify unlimited and high-risk token approvals; recommends corrective actions.
- Charges 0.001 USDT per approval check (BNB Chain).
- Bilingual documentation (English and 中文) with usage instructions and sample outputs.
- Includes code snippets for manual revocation and SkillPay billing integration.
Metadata
Frequently Asked Questions
What is Token Approval Checker?
钱包授权管理工具,检查 ERC20/ERC721 代币授权风险,识别无限授权和高风险授权。每次调用收取 0.001 USDT。当用户提到"检查授权"、"撤销授权"、"Token Approval"、"高风险授权"、"MetaMask授权"时使用。Wallet authorization management to... It is an AI Agent Skill for Claude Code / OpenClaw, with 359 downloads so far.
How do I install Token Approval Checker?
Run "/install token-approval-checker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Token Approval Checker free?
Yes, Token Approval Checker is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Token Approval Checker support?
Token Approval Checker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Token Approval Checker?
It is built and maintained by liusanhong (@liusanhong); the current version is v1.0.1.
More Skills