The pitch is simple. You give it a token contract address. You get back a score from 0 to 100, a verdict tag, and six subscores you can actually reason about. No black box. Just three public risk APIs combined into one paid call at $0.10.
Here's what's under the hood.
Inputs
POST a JSON body with two fields:
{
"token_address": "0x4200000000000000000000000000000000000006",
"chain": "base"
}
token_address is the only required field. It has to be a 0x-prefixed 20-byte EVM address. chain defaults to base, with ethereum and bsc also accepted. That's the whole API surface for inputs.
The three backends
Three calls fan out in parallel through Promise.allSettled, with a 15s per-fetch timeout and a 25s ceiling on the whole request.
- honeypot.is runs an on-chain sell simulation and reports buy/sell tax. This drives the honeypot subscore (25 points) and the taxes subscore (20 points).
- GoPlus Security returns holder distribution, LP token holders, ownership flags, mintability, hidden-owner signals, proxy status. It drives three subscores: holder concentration (20), liquidity (15), and ownership (10).
- Etherscan v2
getcontractcreationgives the contract's creation timestamp. That drives the contract-age subscore (10).
Total: 25 + 20 + 20 + 15 + 10 + 10 = 100.
If any backend fails, that backend's subscore drops to 0 and a warning string gets appended to warnings[]. The other subscores still compute. No 500 on partial data. That matters because GoPlus rate-limits aggressively on cold tokens, and honeypot.is sometimes can't simulate against shallow pools.
How each subscore actually works
The taxes subscore uses the worst of buy and sell tax. Under 2% gets the full 20. Under 5% gets 15. Under 10% gets 10. Under 20% gets 5. Anything 20%+ scores zero. So a 30% sell tax kills the taxes subscore even if the buy tax is clean.
Holder concentration sums the top 10 holder percentages from GoPlus. Under 30% combined gets the full 20. Between 30 and 50 gets 14. Between 50 and 70 gets 8. Above 70 gets 3. One quirk: GoPlus reports percentages as fractions if they're below 1.5, so the code auto-detects and multiplies by 100.
Liquidity is the most opinionated subscore. To get the full 15, you need 50+ LP holders AND at least one locked LP position. Twenty-plus LP holders OR a locked position gets 9. Five or more holders gets 5. Anything thinner gets 1.
Contract age is the gentlest. A year or older gets the full 10. Six months gets 8. Three months gets 6. One month gets 4. One week gets 1. Fresh contracts get 0.
Ownership starts at 10 and gets penalized: -4 if not renounced, -3 if proxy, -3 if mintable, -4 if take-back-ownership exists, -5 if a hidden owner is set. Clamped to 0.
Verdict thresholds
Anything 80+ is safe. 50-79 is caution. Below 50 is high_risk. The thresholds are deliberately strict, because the failure mode you want to avoid is a confident safe tag on a half-rugged token, not a caution on a legitimate one.
A real call
WETH on Base, the canonical "this should basically max out" case:
curl -X POST https://x402.bankr.bot/api/token-risk-score \
-H 'Content-Type: application/json' \
-d '{"token_address":"0x4200000000000000000000000000000000000006","chain":"base"}'
Response:
{
"token": { "name": "Wrapped Ether", "symbol": "WETH", "decimals": 18 },
"chain": "base",
"score": 95,
"verdict": "safe",
"subscores": {
"honeypot": 25, "taxes": 20, "holder_concentration": 20,
"liquidity": 15, "contract_age": 10, "ownership": 5
},
"warnings": [],
"data_sources": ["honeypot.is", "goplus", "etherscan"],
"source": "composite"
}
Note the ownership subscore is 5, not 10. WETH has a non-renounced owner address (the Base bridge) and a proxy pattern, so it eats the renounced-owner and proxy penalties. The score still lands at 95 because every other signal is clean. That's the kind of detail you don't get from a binary "honeypot: yes/no" check.
Want to wire it into a swap router or a wallet-side trade gate? Score under 50 means halt. Score 50-79 means surface the warnings to the user. Score 80+ means proceed. Six lines of agent code. $0.10 per token checked.