ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SushiSwap SDK

TypeScript SDK for interacting with the SushiSwap Aggregator and related primitives. This SDK is a typed wrapper over the SushiSwap API, providing ergonomic helpers for token amounts, prices, quotes, and swap transaction generation. USE THIS SKILL WHEN: - Building TypeScript or JavaScript applications - You want strongly typed token, amount, and fraction primitives - You need to request swap quotes or executable swap transactions via code - You want safer arithmetic, formatting, and comparisons without floating point errors - You prefer SDK-based integration over raw HTTP requests

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.1k · 3 current installs · 3 all-time installs
by@0xMasayoshi
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (TypeScript SDK for SushiSwap aggregator) aligns with the SKILL.md content: examples show getQuote/getSwap, use of viem for RPC/wallet clients, and guidance about referrer and fee splits. The requested npm packages (sushi, viem) are consistent with the stated purpose.
!
Instruction Scope
The reference example instructs reading process.env.PRIVATE_KEY and using it to create/send transactions. That is sensitive I/O and is not reflected in the declared requirements. The SKILL.md otherwise stays within the SDK's scope, but the example explicitly demonstrates accessing and using a private key, which the skill metadata fails to surface.
Install Mechanism
There is no install spec (instruction-only) and the SKILL.md simply recommends installing 'sushi' and 'viem' via common package managers. This is low-risk in itself, but because the skill has unknown provenance, installing packages from the registry should be done cautiously.
!
Credentials
The skill metadata declares no required environment variables, yet the reference code reads process.env.PRIVATE_KEY to sign/send transactions. Asking for a private key (or demonstrating its use) is a high-sensitivity action and should be explicitly declared and justified. There is also a mandatory 'referrer' parameter (for affiliate/fee attribution), which may have economic implications but is not a secret; however the private key usage is not documented in requires.env.
Persistence & Privilege
The skill is not always-enabled (always:false) and is user-invocable. Autonomous invocation is allowed by default, which is normal. Because the skill can generate executable swap data and (per examples) request signing via an env private key, an agent invoking this skill autonomously could attempt to execute on-chain transactions if given credentials — users should be cautious about granting signing credentials to autonomous agents.
What to consider before installing
This skill appears to be a legitimate SDK wrapper for SushiSwap, but there are important mismatches and provenance gaps you should address before installing or using it: - The reference examples show reading process.env.PRIVATE_KEY to sign and send transactions, yet the skill metadata does not declare any required environment variables. Do not provide your private key to this skill (or to an agent) unless you fully trust the source and understand exactly when and how it will be used. - The skill source and homepage are unknown. Verify the package author and locate the official repository or npm package named 'sushi' before installing — typosquatting and fake packages are common on registries. - If you need to execute swaps, prefer signing transactions offline or with a hardware wallet / ephemeral key that has minimal funds and limited permissions. Never store high-value keys in plain process.env for untrusted agents. - Ask the skill author to: (1) declare required env vars (e.g., PRIVATE_KEY) in metadata, (2) document exactly how referrer is used and whether any revenue/affiliate behavior occurs, and (3) provide a source repository or official homepage so you can audit the package code. If you can't verify provenance or the author cannot clarify the env/credential handling, treat this skill as untrusted and avoid giving it signing keys or broad access.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97fvm29t263ysgkks7gzp8prs80j73z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SushiSwap SDK Integration

The SushiSwap SDK is a TypeScript wrapper around the SushiSwap API. It provides strongly typed primitives and utilities for working with tokens, prices, swap quotes, and transaction generation.

This SDK does not replace the API — it builds on top of it with safer, more expressive abstractions.

Installation

Install the required packages using your package manager of choice:

pnpm add sushi viem

npm add sushi viem

yarn add sushi viem

bun add sushi viem

How To Use

  1. Import the appropriate SushiSwap SDK helpers from sushi/evm
  2. Select the correct SDK method based on user intent:
    • Swap quote → getQuote()
    • Swap execution → getSwap()
  3. Provide all required parameters exactly as defined by the SDK types
  4. Always include a valid referrer value
  5. Validate inputs (chainId, token addresses, amount, slippage) before execution
  6. Use returned transaction data exactly as provided for simulation or execution

The SDK is a thin wrapper over the SushiSwap REST API — all routing, pricing, and calldata generation is still performed by the API.

Supported Networks

The SushiSwap SDK exposes the list of supported swap networks via:

import { SWAP_API_SUPPORTED_CHAIN_IDS } from 'sushi/evm'
  • Agents and integrators should always check this list before attempting to:
    • Fetch a quote
    • Generate swap transaction data
  • If a requested chainId is not included:
    • The agent must fail early or prompt the user to select a supported network
    • Agents must not attempt to guess or hardcode supported chains

This list reflects the networks currently supported by the SushiSwap Aggregator API. The supported networks may change over time and should not be cached indefinitely.

--

Mandatory referrer Parameter

  • The referrer parameter must be specified when calling getQuote() or getSwap()
  • The agent or integrator must identify themselves using this field
  • Swap-related SDK calls must not be executed without a referrer value
  • The SDK must not auto-generate or omit this value on behalf of the integrator

Fee Customization

The SushiSwap SDK supports customized swap fees when using getQuote() or getSwap().

Default fee model

  • Swap-related requests follow an 80/20 fee split by default
    • 80% to the integrator (referrer)
    • 20% to SushiSwap
  • This split applies unless explicitly overridden by SushiSwap

Custom fee splits

  • Alternative fee splits require a partnership with SushiSwap
  • Agents and integrators should not assume custom splits are available. If users request alternative fee splits, agents should direct them to the SushiSwap team rather than attempting to modify request parameters.

Additional Reference

For detailed SDK examples & execution flow, see:

references/REFERENCE.md

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…