ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawlett

v0.4.1

Secure autonomous token swaps on Base Mainnet via a Gnosis Safe using MEV-protected CoW Protocol, with token approval, ETH wrapping, scam detection, and uniq...

2· 484·3 current·3 all-time
byArdian@0xardi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (safe-backed token swaps, Trenches, CoW/Kyber) matches the included scripts, but registry metadata claims no required binaries, no env vars, and no config paths while the code clearly expects a Node runtime, git for migrations, a wallet config (config/wallet.json) and an agent private key file (agent.pk). Those undeclared runtime requirements are a coherence problem: someone using this skill must provide sensitive files and binaries not listed by the skill metadata.
Instruction Scope
SKILL.md explicitly requires explicit user confirmation for on-chain actions (quote-only by default), which aligns with the code that uses --execute flags. However the runtime instructions and MIGRATION_GUIDE also instruct running git commands, running node scripts, and touching local config files. The scripts read sensitive local files (agent.pk, wallet.json), authenticate to external APIs (Trenches, CoW, Kyber, DexScreener) and may upload images or register appData — all of which are within the claimed domain but extend the agent's scope to local filesystem secrets and multiple external services that were not declared in metadata.
!
Install Mechanism
No install spec is provided, yet the package includes Node scripts and a package.json with dependencies (ethers) — executing these scripts requires Node/npm (and likely running npm install). MIGRATION_GUIDE also instructs git fetch/checkout. The absence of any declared install mechanism or required binaries is inconsistent and increases friction/risk: the user or agent must perform manual installs and fetch code, which can execute arbitrary JavaScript on the host.
!
Credentials
The registry declares no required environment variables or config paths, but the code expects and uses: BASE_RPC_URL / WALLET_CONFIG_DIR (optional envs), a config directory containing wallet.json, and an agent private key file (agent.pk). The agent private key is essential to deploy and sign transactions; storing it on-disk and allowing code to read it is sensitive. The scripts also contact multiple external endpoints (CoW, Kyber, Trenches, DexScreener) and hardcode a partner fee recipient address (0xCB52B32D...), which should be audited. These required secrets and file accesses are not documented in metadata and are high-impact if mishandled.
Persistence & Privilege
The skill is not force-installed (always: false) and does not request platform-level privileges, which is good. However the operational flow requires the agent to generate and hold an agent private key and to deploy contracts/roles before transferring Safe ownership — that implies the agent will create and store long-lived secrets (agent.pk) and perform privileged on-chain operations when explicitly commanded. Because the skill can be invoked autonomously (default), ensure the agent's execution policies and confirmation enforcement are actually enforced by the runtime.
What to consider before installing
Key points to review before installing or running this skill: - Missing metadata vs real requirements: The skill metadata claims no required binaries or config files, but the code needs Node (and npm), git for migrations, a config directory with wallet.json, and a local agent private key file (agent.pk). Don't run the scripts until you can satisfy and control these requirements. - Protect the agent private key: The skill generates/reads agent.pk and uses it to sign transactions and authenticate to the Trenches API. Only run this in an environment you control; if you let the agent generate a key, ensure you retain custody and understand the deploy/transfer flow before funding anything. - Confirm explicit-execution behavior: SKILL.md states the agent must never execute on-chain transactions without explicit user confirmation. Verify in practice (in a safe test environment) that the runtime enforces this and that the agent doesn't auto-run migration scripts or git checkouts. - Audit external endpoints and hardcoded addresses: The scripts call CoW (api.cow.fi), Kyber (aggregator-api.kyberswap.com), DexScreener, and Trenches (trenches.bid) and hardcode a partner fee recipient (0xCB52B32D...). Review those endpoints and the partner fee behavior to ensure you accept the fees and trust the services. - Run in isolation first: If you want to test, run the code locally in an isolated VM or container, inspect the code, run npm install from package.json, and manually step through initialize.js without funding or broadcasting transactions. - Consider additional declarations: Ask the publisher to update the skill metadata to list required binaries (node, git), config paths (config/wallet.json, agent.pk), and any required env vars (BASE_RPC_URL, WALLET_CONFIG_DIR, TRENCHES_API_URL). That makes the security posture auditable. If you cannot or will not audit the code and control the agent key and execution environment, do not use this skill with real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk970w7mn2t1wyh8wj7pmy45k81829dgw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments