SaucerSwap Arbitrage
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is transparent about DeFi arbitrage, but it tells an agent how to execute mainnet token swaps without clear user-confirmation, trade-limit, or contract-verification boundaries.
Treat this as a high-risk financial automation skill. It is acceptable for quote research, but do not let it execute swaps unless you independently verify contract addresses, use a limited wallet, set strict trade and loss limits, and approve each transaction manually.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given wallet or transaction tools, it could attempt trades that move or lose user funds without sufficiently clear guardrails.
The skill directs the agent toward executing financial swaps on mainnet, but the artifacts do not require explicit user confirmation, bounded trade size, stop-loss limits, or dry-run validation before submitting transactions.
description: Execute triangular arbitrage on Hedera via SaucerSwap... Executing atomic swaps... const tx = new ContractExecuteTransaction() ... .setFunction("swap")Require explicit user approval for every transaction, verify expected inputs/outputs and fees, set maximum trade and loss limits, and default to quote-only or simulation mode unless the user opts into execution.
Using the skill for execution would require signing transactions with an account that holds funds.
The skill implies use of a user wallet or Hedera signing authority. This is expected for swap execution, but users should recognize that wallet approval grants financial authority.
Via HashPack or direct contract call... Must use Hedera native signing
Use a dedicated wallet with limited funds, review every wallet prompt, and do not provide private keys or broad signing authority to the agent.
Relying on stale or incorrect contract details could lead to failed transactions or loss of funds.
For a mainnet DeFi skill that provides contract addresses and transaction guidance, lack of source provenance or a homepage makes it harder to verify that the addresses and workflows are official or current.
Source: unknown; Homepage: none
Independently verify all contract addresses, token IDs, and SaucerSwap API endpoints from official SaucerSwap and Hedera sources before using the skill for execution.