Trench
v0.1.0Fast meme coin trading execution for AI agents. Snipe new token launches, execute rapid buys/sells on Solana DEXs (Jupiter, Raydium, Pump.fun), with MEV prot...
⭐ 5· 498·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill advertises executing trades, Jito bundle submission, MEV protection, multi-wallet management and API integrations, yet the registry entry declares no required environment variables, no binaries, and no install. A trading execution skill would reasonably need RPC endpoints, wallet private keys (or signing capability), and likely API keys — their absence is a mismatch.
Instruction Scope
SKILL.md is high-level and largely a placeholder. It outlines scripts (buy.py, snipe.py, safety.py) and capabilities but contains no concrete runtime commands or safe handling instructions. It also references wallet concepts (example: 'WIF position') and external APIs (Rugcheck, DexScreener, Jito), which implies access to secrets and network resources; the instructions are vague and grant broad agent discretion.
Install Mechanism
There is no install spec and no code files present, so currently nothing would be written to disk by installing the skill — that lowers immediate risk. However, the SKILL.md describes scripts and a non-trivial architecture that are missing: future releases could introduce high-risk install steps (downloads, native binaries, or wallet integrations).
Credentials
The functionality described inherently requires sensitive credentials (private keys/WIF, RPC provider URLs, possibly API keys for Rugcheck/DexScreener) but the skill declares none. That discrepancy is worrying: either the skill will later ask for secrets out-of-band, or it omits crucial security information. Requesting or handling private keys without explicit, auditable code is a red flag.
Persistence & Privilege
always:false (normal). The skill allows autonomous invocation (platform default). While autonomous invocation alone is not a violation, combining it with the ability to execute trades and manage wallets increases impact if the skill is later updated with code that can act on funds — exercise extra caution before granting autonomous execution.
What to consider before installing
Do not provide private keys, WIFs, or permanent API secrets to this skill. The package is currently a placeholder: it advertises trading and wallet management but contains no code or declared credential requirements, which is inconsistent. Before installing or using it: (1) ask the author for the exact code and install steps; (2) require a minimal, auditable code review that shows how keys are stored/used; (3) insist on explicit environment variables and safe signing workflow (e.g., hardware wallet or remote signer) rather than plain private keys; (4) if you test, use a throwaway account and tiny funds in a sandboxed environment; (5) prefer skills from known authors or with verifiable source and release artifacts. If the skill later adds install steps that download archives or binaries, treat that as higher risk and re-evaluate.Like a lobster shell, security has layers — review code before you run it.
latestvk97027wyjvks36gdk0r5bhswmd81k1sg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.