ClawHub

SaucerSwap Arbitrage

v1.0.0

Perform triangular arbitrage on Hedera using SaucerSwap to find, calculate, and execute profitable multi-hop token swaps atomically.

0· 582·2 current·2 all-time
by@harleyscodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill says it will find and execute atomic multi-hop swaps on Hedera, but it declares no credentials, no signing method, and no account/keys. Executing transactions on Hedera requires an account ID and private key (or a wallet signing flow). The skill also mixes EVM-style 0x contract addresses with Hedera token IDs (0.0.x), which is inconsistent with a coherent deployment plan.
!
Instruction Scope
The SKILL.md includes code snippets that call an external API and shows a ContractExecuteTransaction to run a swap, but the instructions are vague: they use token symbols (e.g., 'USDC') where APIs typically expect token addresses/IDs, assume getQuote returns a raw numeric value, and do not explain how to obtain signatures or submit transactions. This leaves wide discretionary behavior and omits critical steps (wallet integration, signing, nonce/fee handling, error handling).
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That reduces risk from arbitrary downloads or disk writes. However, the examples reference Node (axios) and Hedera SDK constructs without declaring dependencies, which is incomplete but not itself an install risk.
!
Credentials
The skill requires no environment variables or credentials despite claiming the ability to submit on-chain swaps. Performing swaps requires sensitive credentials (account ID / private key) or a delegated wallet signing flow; the absence of any declared credential requirements is a mismatch and suggests the instructions are incomplete or could encourage insecure practices (e.g., pasting private keys into chat).
Persistence & Privilege
always is false and there is no persistence/install behavior. Autonomous invocation is allowed by default (platform standard), but combined with the credential omission this is a usability/consistency problem rather than a direct elevation of privilege.
What to consider before installing
This SKILL.md is incomplete and inconsistent with its stated goal. Before using it: (1) Do NOT paste or store private keys into the agent — require wallet-based signing (HashPack or other) so the agent cannot exfiltrate keys. (2) Ask the author how signing and submission are performed: the skill must declare how it obtains an account ID and private key or integrate a user-driven wallet prompt. (3) Verify and correct addresses and API usage: confirm whether SaucerSwap uses Hedera IDs (0.0.x), EVM addresses (0x...), or a specific API token format, and test the quoted endpoints (e.g., mainnet-api.saucerswap.fi) on testnet first. (4) Require explicit environment variables or an OAuth-like wallet flow if automation is needed; otherwise keep execution manual. (5) Test all logic on Hedera testnet with small amounts and review returned quote formats (responses are likely objects, not a single number). Given the mismatches (address formats, missing credentials, vague API expectations), treat this skill as suspicious and demand clarifications or a revised implementation before running it against mainnet funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ewhba8zg6j7w5grmq6axtrh815sqr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments