ClawHub

SaucerSwap Arbitrage

Perform triangular arbitrage on Hedera using SaucerSwap to find, calculate, and execute profitable multi-hop token swaps atomically.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 469 · 2 current installs · 2 all-time installs
by@HarleysCodes
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill says it will find and execute atomic multi-hop swaps on Hedera, but it declares no credentials, no signing method, and no account/keys. Executing transactions on Hedera requires an account ID and private key (or a wallet signing flow). The skill also mixes EVM-style 0x contract addresses with Hedera token IDs (0.0.x), which is inconsistent with a coherent deployment plan.
!
Instruction Scope
The SKILL.md includes code snippets that call an external API and shows a ContractExecuteTransaction to run a swap, but the instructions are vague: they use token symbols (e.g., 'USDC') where APIs typically expect token addresses/IDs, assume getQuote returns a raw numeric value, and do not explain how to obtain signatures or submit transactions. This leaves wide discretionary behavior and omits critical steps (wallet integration, signing, nonce/fee handling, error handling).
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That reduces risk from arbitrary downloads or disk writes. However, the examples reference Node (axios) and Hedera SDK constructs without declaring dependencies, which is incomplete but not itself an install risk.
!
Credentials
The skill requires no environment variables or credentials despite claiming the ability to submit on-chain swaps. Performing swaps requires sensitive credentials (account ID / private key) or a delegated wallet signing flow; the absence of any declared credential requirements is a mismatch and suggests the instructions are incomplete or could encourage insecure practices (e.g., pasting private keys into chat).
Persistence & Privilege
always is false and there is no persistence/install behavior. Autonomous invocation is allowed by default (platform standard), but combined with the credential omission this is a usability/consistency problem rather than a direct elevation of privilege.
What to consider before installing
This SKILL.md is incomplete and inconsistent with its stated goal. Before using it: (1) Do NOT paste or store private keys into the agent — require wallet-based signing (HashPack or other) so the agent cannot exfiltrate keys. (2) Ask the author how signing and submission are performed: the skill must declare how it obtains an account ID and private key or integrate a user-driven wallet prompt. (3) Verify and correct addresses and API usage: confirm whether SaucerSwap uses Hedera IDs (0.0.x), EVM addresses (0x...), or a specific API token format, and test the quoted endpoints (e.g., mainnet-api.saucerswap.fi) on testnet first. (4) Require explicit environment variables or an OAuth-like wallet flow if automation is needed; otherwise keep execution manual. (5) Test all logic on Hedera testnet with small amounts and review returned quote formats (responses are likely objects, not a single number). Given the mismatches (address formats, missing credentials, vague API expectations), treat this skill as suspicious and demand clarifications or a revised implementation before running it against mainnet funds.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97ewhba8zg6j7w5grmq6axtrh815sqr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SaucerSwap Arbitrage

Overview

SaucerSwap is the main DEX on Hedera. Triangular arbitrage: profit from price differences between 3 tokens.

Key Contracts (Mainnet)

  • SaucerSwap V1: 0xcaec9706a4622D356d2D3aEd8f8D40c51f0C0dF
  • SaucerSwap V2: 0xA6F4E11E5D8A3F62A7D4E3E6B1E7F3C9E8F2A1B4

Get Quotes (V1)

const axios = require('axios');

async function getQuote(amountIn, path) {
  const [tokenA, tokenB, tokenC] = path;
  const url = `https://mainnet-api.saucerswap.fi/route?from=${tokenA}&to=${tokenB}&amount=${amountIn}`;
  const response = await axios.get(url);
  return response.data;
}

Token Addresses (Hedera)

  • HBAR: 0.0.1000 (wrapped: 0x... in EVM format)
  • USDC: 0.0.456719
  • USDT: 0.0.456720
  • ETH: 0.0.456721
  • WBTC: 0.0.456722
  • SAUCE: 0.0.456723

Arbitrage Logic

1. Check Prices

// Get prices for potential paths
const paths = [
  ['USDC', 'HBAR', 'USDC'],
  ['USDC', 'SAUCE', 'USDC'],
  ['HBAR', 'USDC', 'HBAR']
];

for (const path of paths) {
  const out = await getQuote(1000, path);
  const profit = out - 1000;
  console.log(`${path.join(' → ')}: ${profit}`);
}

2. Execute Swap

// Via HashPack or direct contract call
const tx = new ContractExecuteTransaction()
  .setContractId(poolAddress)
  .setFunction("swap")
  .setParameters([...]);

Safety Checks

  1. Slippage: Set min output = expected * 0.97
  2. Gas: Estimate network fees (tinybars)
  3. Pool Depth: Check liquidity before large trades
  4. Hedera Gossip: Account for network latency

Key Differences from EVM

  • No EOA signatures: Must use Hedera native signing
  • Network fees: Paid in tinybars (not gas)
  • Transaction types: Use HAPI, not EVM
  • Token format: Use 0.0.xxxxx not 0x...

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…