ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

easyclaw

v0.0.2

Run user-facing EasyClaw DEX actions from a self-contained skill folder. Use when an agent needs to submit user orders or check wallet/margin/order balances...

0· 451·2 current·2 all-time
byColdBell@ice-coldbell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the files implement: Node scripts to query EasyClaw backend, subscribe to websocket channels, and submit Solana DEX orders. Required binaries (node, npm), Solana RPC env vars, program IDs, and a KEYPAIR_PATH or ANCHOR_WALLET are expected for signing transactions and interacting with on-chain programs. Some env var names are duplicated/aliased (EASYCLAW_API_TOKEN / API_AUTH_TOKEN / API_TOKEN) but this is a convenience, not an incoherence.
Instruction Scope
SKILL.md and the scripts instruct the agent to read local wallet keypair files, run `solana config get`, persist selected wallet settings into easyclaw-skill/.env, write strategy files to easyclaw-skill/state/strategies/, spawn child Node.js processes, subscribe to backend websockets, and can run an autotrade loop that will place real orders. All of those behaviors are within the described purpose, but they include local file reads/writes and autonomous order submission (sensitive actions) and so should be explicitly acknowledged before use.
Install Mechanism
No remote arbitrary download/install is embedded in the skill. The provided dex-agent.sh runs `npm install` (standard) and package.json lists typical npm packages (@solana/web3.js, dotenv, ws). npm install will fetch packages from the public registry (normal risk for Node projects). There are no obscure download URLs or extract steps in the manifest.
Credentials
The skill requires direct access to a local Solana keypair file (KEYPAIR_PATH / ANCHOR_WALLET and ~/.config/solana/id.json) and backend API tokens (EASYCLAW_API_TOKEN / aliases). These are necessary to sign transactions and call protected backend endpoints, so the requested credentials are proportional to the trading purpose — but they are highly sensitive. The skill will write the chosen wallet path into a local .env and persist strategy files, increasing persistence of that information on disk.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is enabled (default). The skill persists a .env file and strategy files under its folder and spawns child processes to execute orders. While it does not request system-wide privileges or modify other skills, its ability to autonomously place orders (realtime autotrade) combined with wallet access is a significant operational privilege — use caution and prefer devnet/localnet or dry-run when testing.
Assessment
This skill appears to do what it says: interact with EasyClaw and submit Solana orders. Before installing: 1) Do NOT point KEYPAIR_PATH at a mainnet/private wallet you cannot afford to risk; prefer a devnet/localnet keypair or a throwaway wallet for testing. 2) Review and confirm EASYCLAW_API_BASE_URL / EASYCLAW_WS_URL and ORDER_ENGINE_PROGRAM_ID / MARKET_REGISTRY_PROGRAM_ID are correct and expected for the network you intend to use. 3) Note that onboarding will read your local keypair file, run `solana config get`, and write the selection into easyclaw-skill/.env; strategy prompts are written to state/strategies/. 4) The skill can autonomously execute orders (autotrade/realtime) — test with --dry-run and small amounts first and consider running in an isolated environment. 5) If you need stronger protection, avoid exposing your primary keypair file and consider using a signing mechanism (hardware or remote signer) instead of a plain filesystem keypair. 6) If you have low trust in the source, review the scripts (already included) and run dex-agent.sh doctor and dex-agent.sh balance on devnet before enabling autonomous operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk9733zskg5gfm7q4et41d9ea7581wmky

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm
EnvSOLANA_RPC_URL, ANCHOR_PROVIDER_URL, KEYPAIR_PATH, ANCHOR_WALLET, EASYCLAW_API_BASE_URL, EASYCLAW_WS_URL, EASYCLAW_API_TOKEN, ORDER_ENGINE_PROGRAM_ID, MARKET_REGISTRY_PROGRAM_ID, API_BASE_URL, BACKEND_WS_URL, WS_URL, API_AUTH_TOKEN, API_TOKEN
Config~/.config/solana/id.json
Primary envKEYPAIR_PATH

Comments