Skip to content

slowmist/badwhale-skills

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
reference
reference
 
 
skill/scripts
skill/scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SKILL.md
SKILL.md
 
 

Repository files navigation

badwhale-skills

English | 中文

An AI agent skill for the BadWhale OpenAPI — let an AI agent run authorized fake-deposit (false-recharge) security tests against a target address, and query which chains / networks / tokens BadWhale supports.

BadWhale is a commercial security service from the SlowMist Team. It helps you verify whether an exchange, wallet, custody, or payment system correctly detects forged ("fake") deposits — a common attack vector where a crafted on-chain transaction tricks a platform into crediting funds that never truly arrived.

⚠️ Authorized use only

This skill submits real test transactions through BadWhale. Use it only against systems you own or are explicitly authorized to assess. Do not test third-party addresses or platforms without written authorization. You are responsible for ensuring every target address is in scope for an authorized engagement.

Service models

Access to BadWhale is provided in two ways. Both start by contacting us:

Model What you get Best for
1. Self-service We issue you a BadWhale API key + API URL. You run tests yourself via this skill. Teams that want to drive tests from their own agent/workflow.
2. Managed testing Our team runs the tests for you and reports the results. Teams that prefer a hands-off, expert-run assessment.

Getting access

API keys are not self-serve. To request access (either model), email:

📧 Johan@slowmist.io

Once you receive your API key and API URL, continue with the setup below.

Capabilities

Capability Description
Query supported chains / networks / tokens Ask the agent what BadWhale currently supports, including wallet availability.
Send a fake-deposit test Provide a chain, network, token, target address, and (optionally) amount; the agent validates, confirms with you, submits, and reports on-chain results.

Installation

npx skills add slowmist/badwhale-skills

Or clone this repository into your agent's skills directory.

Setup

After receiving your credentials, set the environment variables:

export BADWHALE_BASE_URL=<BASE_URL>   # API root, must include the version prefix, e.g. https://.../api/v1
export BADWHALE_API_KEY=<API_KEY>

To make these persist across sessions, add the two export lines to your shell profile (e.g. ~/.zshrc or ~/.bashrc). The agent only ever calls the API through skill/scripts/bw.py, which reads credentials from these environment variables — keys are never hardcoded or logged. The agent also passes the variables inline on each command (e.g. BADWHALE_BASE_URL=... BADWHALE_API_KEY=... python skill/scripts/bw.py chains), because each command runs in a fresh shell where a one-off export would not carry over.

Example prompts

  • "What chains and tokens does BadWhale support?"
  • "Which networks support USDT?"
  • "Run a fake-deposit test of 0.1 ETH to 0x7d7f…64bb on ethereum mainnet."
  • "Send a test deposit of USDT on the tron testnet to ."

The agent will validate your inputs against the live /chains list, ask you to confirm before submitting, then poll and report the on-chain result.

Directory structure

badwhale-skills/
├── README.md            ← this file
├── SKILL.md             ← skill entry point (frontmatter + 7-step flow)
├── LICENSE
├── reference/
│   └── api.md           ← API endpoint & field reference
└── skill/
    └── scripts/
        └── bw.py        ← API wrapper (the agent's only call entry point)

License

MIT © 2026 SlowMist Team

badwhale-skills(中文)

English | 中文

面向 BadWhale OpenAPI 的 AI agent skill —— 让 AI agent 对指定地址执行已授权的 假充值(伪造充值)安全测试,并查询 BadWhale 支持哪些链 / 网络 / 代币。

BadWhale 是 慢雾(SlowMist)团队 的商业化安全服务,用于验证交易所、钱包、托管或 支付系统是否能正确识别伪造的"假充值"——这是一种常见攻击:通过构造特定的链上交易, 诱导平台为实际并未真正到账的资金入账。

⚠️ 仅限授权使用

本 skill 会通过 BadWhale 提交真实的测试交易。只能用于你自有或已获明确授权评估 的系统。未经书面授权,不得测试第三方地址或平台。你需自行确保每一个目标地址都属于已授权 测试的范围。

两种服务模式

BadWhale 提供两种使用方式,都需先联系我们:

模式 你获得什么 适合谁
1. 自助测试 我们为你签发 BadWhale API key + API URL,你通过本 skill 自行测试。 希望从自有 agent / 工作流驱动测试的团队。
2. 托管测试 由我们团队直接为你执行测试并反馈结果。 希望省心、由专家代为评估的团队。

获取访问权限

API key 不支持自助申请。如需开通(任一模式),请发邮件至:

📧 Johan@slowmist.io

收到 API key 和 API URL 后,按下方步骤完成配置。

支持的能力

功能 说明
查询支持的链 / 网络 / 代币 询问 agent BadWhale 当前支持情况,含钱包可用性。
发送假充值测试 提供链、网络、代币、目标地址和(可选)金额;agent 会校验、与你确认、提交并反馈链上结果。

安装

npx skills add slowmist/badwhale-skills

或将本仓库克隆到你的 agent skills 目录。

配置

收到凭据后,设置环境变量:

export BADWHALE_BASE_URL=<BASE_URL>   # API 根地址,须包含版本前缀,例如 https://.../api/v1
export BADWHALE_API_KEY=<API_KEY>

如需跨会话持久生效,把这两行 export 写进 shell profile(如 ~/.zshrc~/.bashrc)。 agent 只通过 skill/scripts/bw.py 调用 API,凭据从环境变量读取——绝不硬编码或写入日志。 agent 在每条命令上会把变量内联传入(例如 BADWHALE_BASE_URL=... BADWHALE_API_KEY=... python skill/scripts/bw.py chains),因为每条命令都在全新 shell 中执行,单独的一次性 export 不会保留到下一条命令。

示例提问

  • "BadWhale 支持哪些链和代币?"
  • "USDT 支持哪些网络?"
  • "在 ethereum mainnet 上对 0x7d7f…64bb 做一次 0.1 ETH 的假充值测试。"
  • "在 tron 测试网上给 <地址> 发一笔 USDT 测试充值。"

agent 会用实时 /chains 列表校验你的输入,提交前要求你确认,然后轮询并反馈链上结果。

目录结构

badwhale-skills/
├── README.md            ← 本文件
├── SKILL.md             ← skill 主入口(frontmatter + 7 步流程)
├── LICENSE
├── reference/
│   └── api.md           ← API 端点与字段参考
└── skill/
    └── scripts/
        └── bw.py        ← API 调用包装脚本(agent 唯一调用入口)

许可证

MIT © 2026 SlowMist Team

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages