Back to skill
Skillv1.0.0
ClawScan security
agent ultimate bots · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 9:06 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The code implements a DeFi agent that needs sensitive environment variables (private keys, RPCs, router and token addresses) but the skill metadata and SKILL.md omit and under-specify those requirements — this mismatch and the potential for real transactions make the package risky without further review.
- Guidance
- This package will perform real blockchain transactions if you provide private keys in .env. Before running: 1) Do not use real/mainnet private keys — test with ephemeral testnet keys only. 2) Inspect and understand every environment variable the code expects (RPC_URLS, PRIVATE_KEYS, MAX_TX_PER_HOUR, DEX_ROUTER, TOKEN_IN, TOKEN_OUT, MIN_DELAY, MAX_DELAY) and never put secrets into .env you don't control. 3) Verify the DEX router and token addresses are correct and trustworthy. 4) Run in an isolated/sandbox environment (separate wallet with no funds) and run npm install from a trusted environment. 5) Prefer a safer signing method (hardware wallet or remote signing) instead of plaintext private keys. 6) Ask the publisher for missing documentation, a homepage, and explicit declared requirements; absence of that info is a transparency risk. If you cannot validate these items, do not run this skill with valuable keys or on mainnet.
Review Dimensions
- Purpose & Capability
- concernThe files (ultimate-agent.js, wallet.js) implement the described DeFi features (multi-RPC, multi-wallet, swaps). Purpose matches the code, but the skill registry metadata declares no required env vars or credentials while the code clearly requires many (PRIVATE_KEYS, RPC_URLS, DEX_ROUTER, TOKEN_IN, TOKEN_OUT, MAX_TX_PER_HOUR, MIN_DELAY, MAX_DELAY). That omission is an incoherence that reduces transparency and is concerning.
- Instruction Scope
- concernSKILL.md only says 'fill .env' and 'node ultimate-agent.js' but does not enumerate the many environment variables the runtime reads. ultimate-agent.js will send transactions (wallet.sendTransaction and router.swapExactETHForTokens), persist and update brain.json, and use network APIs (Coingecko). The instructions are overly vague and grant the agent broad, potentially destructive actions without clear user prompts or safety steps.
- Install Mechanism
- noteThere is no install spec; this is effectively an instruction+code package. Dependencies are standard npm packages (ethers, dotenv, axios) provided in package.json/package-lock.json — no remote binary downloads or obscure URLs. The lack of an install instruction (npm install) and lack of provenance/homepage is a transparency/usability issue but not an immediate red flag for arbitrary remote code execution.
- Credentials
- concernThe runtime requires highly sensitive secrets (PRIVATE_KEYS) and configuration for RPCs, router and token addresses, but the skill metadata lists no required env vars and no primary credential. Requesting raw private keys is expected for a tool that signs transactions, but the absence of explicit declared requirements and guidance (e.g., use testnet keys, hardware wallet alternatives) is disproportionate and dangerous if users supply mainnet keys unknowingly.
- Persistence & Privilege
- okThe skill does local persistence only (reads/writes brain.json). It does not request always:true, does not modify other skills or global agent configuration. Autonomous invocation is allowed by default (disable-model-invocation is false) but that is platform-normal; there is no evidence the skill escalates privileges beyond its own files.