Mi Trading
v1.0.0Trade tokens on Solana using the ClawDex CLI. Use when the user asks to swap tokens, check balances, get quotes, or manage a Solana trading wallet.
⭐ 0· 576·0 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Solana token trading via ClawDex) aligns with the SKILL.md content: commands, quotes, simulation, and execution are coherent for a trading skill. However, the registry metadata claims no required env vars or config paths while the instructions explicitly reference JUPITER_API_KEY, SOLANA_RPC_URL, and a wallet file (~/.config/solana/id.json), which is inconsistent and unexplained.
Instruction Scope
The SKILL.md stays within trading scope (health check, balances, simulate, execute) but it instructs the agent to access a local Solana wallet file and environment variables (JUPITER_API_KEY, optional SOLANA_RPC_URL). Accessing a user's wallet file is sensitive; the instructions do not limit which wallet to use or instruct using a dedicated/trust-limited wallet. The SKILL.md also suggests installing clawdex from npm, which requires running third-party code.
Install Mechanism
This is instruction-only (no install spec in registry). The SKILL.md recommends 'npm install -g clawdex@latest' if clawdex is not present — a common mechanism but it entails installing an npm package from the public registry. No opaque download URLs or extract steps are present in the skill itself.
Credentials
The registry declares no required env vars, but the SKILL.md requires JUPITER_API_KEY during onboarding and references SOLANA_RPC_URL. It also assumes access to a wallet file path (~/.config/solana/id.json). Requesting access to a private wallet file and an API key is proportionate to trading functionality — but it should be declared up front. The lack of declared credentials/config in metadata is a mismatch that could lead to unexpected exfiltration risk if the underlying clawdex binary is untrusted.
Persistence & Privilege
The skill does not request persistent/all-skill privileges (always: false) and does not modify other skills or system-wide settings in the provided instructions. Autonomous invocation is allowed by default (disable-model-invocation: false) but that is platform default and not by itself flagged.
What to consider before installing
This skill's instructions perform exactly the kind of operations you'd expect for a Solana trading CLI, but the registry metadata omits the sensitive items the SKILL.md needs (JUPITER_API_KEY, RPC URL, and a local wallet file). Before installing or running: (1) verify the provenance of the 'clawdex' npm package (publisher, repository, audit its source) rather than blindly running npm install -g; (2) never point the tool at your main wallet — use a dedicated wallet with minimal funds for testing; (3) consider running the CLI in an isolated environment/container; (4) confirm whether JUPITER_API_KEY or other secrets are actually required and where they are sent; (5) ask the skill author or registry to update metadata to declare required env vars and config paths. If the registry metadata and a trustworthy upstream repo are provided (and code audit shows no exfiltration), the concern would be reduced.Like a lobster shell, security has layers — review code before you run it.
latestvk978qqr2mgvbzsjbsd1bapp64s81b2zm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.