ClawHub

Defi Sniper

v1.0.0

Orchestrates early token launch detection, on-chain risk analysis, social signal verification, and guarded swap execution on Solana and Base chains.

0· 715·2 current·2 all-time
byHagen Hoferichter@h4gen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the requested binaries (node, npx) and declared env vars (MINARA_API_KEY, SOLANA_RPC_URL) because the skill is a meta-orchestrator of Minara/Torch stacks. Declared requirement of 'skills.entries.minara.enabled' is plausible for a meta-skill that delegates to Minara. Minor mismatch: the SKILL.md repeatedly references other secrets/configs (Circle Wallet signer, chain private-key fallback, VAULT_CREATOR, linked agent wallet) that are functionally required for live execution but are not listed in requires.env.
!
Instruction Scope
SKILL.md is instruction-only and tells the agent to install and orchestrate minara, torchmarket, and torchliquidationbot via npx. It explicitly instructs using signers/vaults and possible private-key fallbacks for live transactions and calls for external web searches for social verification. Those directions mean the agent will need to access private keys or vault credentials and interact with external web tools; those sensitive accesses are not consistently declared or gated in the skill file. The doc does include preflight checks and a 'do not run live' admonition if inputs are missing, but that relies on agent/installer discipline rather than enforced declarations.
Install Mechanism
The skill is instruction-only (no install spec), so it will not itself write code to disk, but it instructs running 'npx -y clawhub@latest install ...' to fetch upstream skills. Using npx to pull packages is expected for this workflow but still means third-party code will be installed and executed on the host at runtime — a moderate-risk action that the SKILL.md delegates to the agent/user.
!
Credentials
Only MINARA_API_KEY and SOLANA_RPC_URL are declared as required env vars, which are reasonable. However, live execution requires signing capability (Circle Wallet, private key) and possibly vault credentials (VAULT_CREATOR and a linked agent wallet), which are referenced but not declared. This mismatch hides additional sensitive secrets the agent will need to access, increasing the chance of accidental exposure or misconfiguration.
Persistence & Privilege
The skill does not request always:true and allows autonomous invocation (platform default). That combination is not itself a red flag, but because the skill orchestrates live on-chain transactions and may request signing credentials at runtime, enabling autonomous invocation increases the blast radius. The skill also requires another skill to be enabled via 'skills.entries.minara.enabled' but does not claim to alter other skills' configurations.
What to consider before installing
This skill is coherent with its stated goal but has notable gaps that increase risk. Before installing or enabling live execution: 1) Do not provide private keys directly — prefer a vault or hardware signer with constrained permissions and verify any vault env var names (e.g., VAULT_CREATOR) that the orchestration may require. 2) Treat MINARA_API_KEY as sensitive and scope its permissions; confirm what Minara can do with that key. 3) Run initial testing in 'observe' or 'paper' mode and use dry-runs only; never allow 'live' or 'auto-with-guardrails' until you’ve validated behavior. 4) Audit the upstream packages (minara, torchmarket, torchliquidationbot) that the SKILL.md instructs you to install via npx — npx will fetch and run third-party code. 5) If you must run live trades, restrict the agent’s network and host environment, and require manual-confirmation execution_policy so the agent cannot autonomously sign transactions. 6) Ask the skill author to declare all required env vars and config paths (signer/vault variables) explicitly in the skill manifest and to document exact external endpoints used for social checks; absence of those declarations is the main coherence/privilege concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk971hpszhhm9mng9hv0s82t3p1814jj4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

crossed_swords Clawdis
Binsnode, npx
EnvMINARA_API_KEY, SOLANA_RPC_URL
Configskills.entries.minara.enabled

Comments