ClawHub
Back to skill
v1.0.0

SaucerSwap Arbitrage

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:42 AM.

Analysis

This skill is clearly about SaucerSwap arbitrage, but it instructs an agent to execute real mainnet token swaps without clearly requiring user confirmation, wallet limits, or transaction bounds.

GuidanceReview carefully before installing. This is not just a quote-checking helper; it is intended to execute financial swaps. Use a dedicated low-balance wallet, verify contract addresses independently, set strict trade and slippage limits, and require explicit confirmation before every signed transaction.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
description: Execute triangular arbitrage on Hedera via SaucerSwap. Use for: ... (4) Executing atomic swaps.

The skill’s stated purpose includes executing real DEX swaps, which can move or lose user funds. The artifacts do not clearly require human confirmation, maximum trade size, testnet use, or other transaction boundaries.

User impactIf used with a funded wallet, the agent could submit financial trades that may lose money due to price movement, slippage, wrong parameters, or bad contract details.
RecommendationOnly use with explicit per-transaction approval, small limits, verified contract addresses, and a dedicated wallet with limited funds.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceMediumStatusNote
metadata
Source: unknown
Homepage: none

The skill provides mainnet contract addresses for financial execution, but the supplied metadata does not provide a source or homepage to help verify provenance.

User impactA user may rely on unverified contract details when performing real token swaps.
RecommendationIndependently verify all SaucerSwap contract and token addresses from official sources before using the skill for mainnet transactions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
// Via HashPack or direct contract call
const tx = new ContractExecuteTransaction()
  .setContractId(poolAddress)
  .setFunction("swap")

The skill instructs use of wallet or account signing authority to call swap contracts, but the registry metadata declares no primary credential, required environment variables, or scoped account requirements.

User impactThe skill may require access to a Hedera wallet capable of signing transactions that spend assets, but the artifact does not clearly define which account, token allowances, or permissions should be used.
RecommendationUse a limited-purpose wallet, avoid broad token allowances, and require the agent to show the full transaction details before signing.