Skillv1.0.0

ClawScan security

KyberSwap Arbitrage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 14, 2026, 8:51 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description claims it will execute arbitrage trades, but the instructions and metadata omit required credentials and runtime details needed to perform on-chain swaps, creating an incoherence that should be resolved before trusting or installing it.
Guidance: This skill contains reasonable arbitrage logic but is missing critical operational detail: how it will connect to Base (RPC) and sign transactions (private key or wallet). Before installing or running it, ask the publisher for source code and an explicit list of required environment variables (RPC_URL, PRIVATE_KEY or signer method), and verify where those values would be provided. Never paste your private key into a skill UI or provide it to an untrusted skill. If you plan to use the skill, test on a non-production network with a wallet funded with minimal funds; verify all contract and token addresses on a block explorer; prefer using a hot wallet with limited funds or a dedicated small-balance account; require explicit, auditable transaction signing (i.e., sign transactions locally/offline) rather than giving the skill custody of keys. If the publisher cannot provide source or clarify how credentials are handled, treat the skill as unsafe to run with real funds.

Review Dimensions

Purpose & Capability: concernThe skill claims to discover and execute on-chain triangular arbitrage on Base (KyberSwap). Executing swaps requires a web3 provider (RPC), a signing wallet/private key, and funded account(s). The registry metadata and SKILL.md declare no required env vars, credentials, or RPC endpoints — this is inconsistent with the stated purpose.
Instruction Scope: noteSKILL.md contains concrete ethers.js calls (getAmountsOut, swapExactTokensForTokens), contract addresses, and safety checks (slippage, gas, reserves). It does not instruct reading local files or unrelated system secrets, but it implicitly requires access to a provider and signer which are not declared. The instructions are narrowly scoped to arbitrage logic but leave out how to obtain RPC/provider and signing authority.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — nothing will be written to disk by the platform installer. That is the lower-risk and expected format for a guide-style skill.
Credentials: concernNo environment variables or credentials are declared, yet the functionality necessarily requires sensitive credentials (RPC URL, private key or wallet access) and funded accounts. The absence of declared secrets is disproportionate to the capability and is a red flag for missing/incomplete specification or potential hidden expectations about how the agent should obtain keys.
Persistence & Privilege: okThe skill does not request always:true, does not declare any config paths, and does not appear to modify system or other-skill settings. No persistence or elevated platform-wide privilege is requested.