Skillv1.0.0

ClawScan security

Arbitrage Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 6, 2026, 1:45 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims real-time multi‑DEX arbitrage scanning but the included code only returns hardcoded demo results and doesn't implement the advertised live-data, multi‑chain, or gas‑cost logic.
Guidance: This skill is inconsistent: it advertises live, multi‑chain, gas‑aware arbitrage scanning but the provided script returns hardcoded example results and does not fetch live prices. It requests no secrets (good), and there are no suspicious downloads, but you should not rely on it for trading decisions. Before using: (1) ask the author for a real implementation or source of live price feeds and gas calculations; (2) review/update the script so it actually calls trustworthy APIs or on‑chain RPCs and properly handles credentials (if you later add signing/execution, do not store private keys in plain env vars); (3) test in a safe environment (no real funds) to confirm behavior; (4) be cautious about enabling autonomous execution — never allow automatic trade execution without additional safeguards. If you need production-grade arbitrage, prefer well‑audited tools or build your own with transparent RPC/API usage and secure key management.

Purpose & Capability: concernName/description promise: real-time multi‑DEX price comparison, gas-aware profit estimation, support for ETH/BSC/Arbitrum. The included script does not perform live queries (it returns hardcoded sample opportunities) and does not implement chain/gas logic — this is inconsistent with the stated purpose.
Instruction Scope: noteSKILL.md is high-level and does not instruct reading unrelated system files or credentials. However it is vague about how to obtain live prices; the runtime artifact (script) also lacks live-data instructions, meaning the operational behavior is different from the documentation.
Install Mechanism: noteNo install spec (instruction-only) which minimizes installation risk. The included Python script imports 'requests' but no install step is declared — the runtime may fail if 'requests' is missing. No external archive downloads or suspicious URLs are present.
Credentials: okThe skill requests no environment variables, credentials, or config paths — this is proportionate to a read-only scanner. There are no declared secrets; nothing suggests unauthorized access to unrelated services.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high‑risk factors here.