Defi Arbitrage

The package mostly matches an arbitrage agent but contains multiple mismatches and privacy/risk gaps (private-key handling, remote payment endpoint, CORS/logging), so it requires careful review before use.

This skill is plausible for DeFi arbitrage but contains inconsistencies and privacy risks. Before installing: (1) Do NOT send any real private keys to the agent or to POST /execute; the API requests executor_private_key which is sensitive. (2) Lock MERCHANT_BOT_URL to a trusted, local service (default is http://localhost:8202). If you must set it, ensure it points only to an endpoint you control; a remote merchant URL could be used to exfiltrate payments/metadata. (3) Run the agent in an isolated environment (container or VM) with restricted outbound network access except to your intended RPC endpoints. (4) Review the full source (there is a truncated portion in the provided package) to confirm whether any code actually sends keys or other data off-host; check for additional network calls and what is logged to agent.log. (5) Note packaging sloppiness: install.sh copies a missing Dockerfile, and skill.json and requirements.txt disagree on dependencies — ask the author for provenance and a reproducible build. If you need this capability and the author is trusted, run tests in a sandboxed environment and restrict MERCHANT_BOT_URL to localhost before providing any secrets.