Torch Liquidation Bot
v4.0.4Autonomous vault-based liquidation keeper for Torch Market lending on Solana. Scans all migrated tokens for underwater loan positions (LTV > 65%) using the S...
⭐ 1· 2.4k·0 current·0 all-time
bymr brightside@mrsirg97-rgb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Torch liquidation keeper) match the requested env vars and code: SOLANA_RPC_URL (RPC endpoint), VAULT_CREATOR (vault pubkey), and optional SOLANA_PRIVATE_KEY (disposable controller). All code paths and metadata show the bot scans loan positions and executes vault-routed liquidations — these credentials are expected and proportional for that purpose.
Instruction Scope
SKILL.md and bundled code are limited to scanning tokens, building liquidation transactions via the bundled torchsdk, locally signing with an in-process (or provided disposable) keypair, and submitting transactions to the Solana RPC. Instructions do not request unrelated files, system secrets, or network endpoints beyond the declared RPC and optional links/documentation URLs. The skill explicitly disables autonomous model invocation (disable-model-invocation: true).
Install Mechanism
The skill is described as instruction-only and bundles full source (lib/torchsdk and lib/kit) so nothing must be downloaded at runtime. Metadata contains an optional npm install entry for torch-liquidation-bot; however the top-level registry entry states 'No install spec'. This is a minor inconsistency: the package can be installed via npm if the user chooses, but nothing in SKILL.md forces a remote download. No high-risk arbitrary URL downloads were present in the provided files.
Credentials
Only three env vars are declared: SOLANA_RPC_URL (required), VAULT_CREATOR (required), and SOLANA_PRIVATE_KEY (optional). These are directly relevant to operating a Solana keeper and no unrelated secrets (AWS, GitHub tokens, etc.) are requested. The optional private key is explicitly described as disposable and the documentation warns to keep value in the vault rather than the agent keypair.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and sets disable-model-invocation: true, preventing autonomous invocation. It doesn't require system-wide config changes or other skills' credentials. It only runs a local scan loop and submits on-chain transactions when explicitly run.
Assessment
This skill appears coherent for running a vault-based Solana liquidation keeper. Before installing or running it: 1) Verify the code origin (kit-source and npm package) and confirm the GitHub repo and npm package contents match the bundled files. 2) DO NOT provide a long-lived or high-value private key — if you supply SOLANA_PRIVATE_KEY, use a fresh disposable key with only dust for gas as documented. 3) Create and fund the vault from your authority wallet and link the agent wallet as instructed (the bot prints the exact link transaction). 4) If you plan to install the npm package, review the package on npm (versions, publish history) and the repository for post-install hooks. 5) Run initially in a monitored environment / testnet or fork to observe behavior before running on mainnet. Note: there is a small metadata inconsistency (some registry fields printed as [object Object] and an optional npm install entry despite the skill being instruction-only) — this is likely a packaging/metadata issue, not a functional security problem, but you should confirm the exact install steps and sources before automatic installs.Like a lobster shell, security has layers — review code before you run it.
latestvk97dhxpvra8r82nsc19kwkxa3182178h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Env[object Object], [object Object], [object Object]