Torch Liquidation Bot
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about being an autonomous Solana liquidation bot, but it can sign real transactions and use vault funds, so users should run it only with tightly limited funds and credentials.
Install only if you want an autonomous DeFi keeper that can submit real Solana transactions. Use a fresh disposable controller wallet, never a vault authority or main wallet, limit the funds placed in the vault, verify the npm package if you install it, and monitor the bot while it runs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If started with a linked vault, the bot can repeatedly spend vault SOL on liquidations and change on-chain financial positions.
The skill clearly discloses that it can autonomously build, sign, submit, and confirm liquidation transactions, which is expected for the stated liquidation-bot purpose but financially impactful.
This is not a read-only scanner. This is a fully operational keeper that generates its own keypair, verifies vault linkage, and executes liquidation transactions autonomously in a continuous loop.
Run it only if you intend autonomous liquidations; use a vault with limited funds, monitor activity, and stop the bot if behavior or market conditions are not acceptable.
Supplying the wrong private key, especially a vault authority key or valuable wallet, could expose far more authority than the bot needs.
The skill may use a Solana private key and vault linkage, but it describes the key as optional and gives appropriate guidance to use only a disposable controller key.
"SOLANA_PRIVATE_KEY" ... "sensitive": true ... "Should be a fresh keypair with ~0.01 SOL for gas. Holds no value. All liquidation capital lives in the vault. NEVER supply a vault authority key."
Prefer the generated/disposable controller key, never provide a main wallet or vault authority key, and verify which wallet is linked to the vault.
Installing from npm instead of using the bundled reviewed code could run a package version different from the bundled artifacts.
The documented optional npm install uses a version range, which can resolve to later compatible releases; this is a normal install pattern but users should verify provenance for financial automation.
package: torch-liquidation-bot@^10.7.1 ... "Install Torch Liquidation Bot (npm, optional -- SDK is bundled in lib/torchsdk/ and bot source is bundled under lib/kit on clawhub)"
If using npm, pin and verify the exact package version and source; otherwise prefer the bundled code path when available.
Once started, the bot may continue scanning and attempting liquidations until stopped.
The bot is intentionally long-running and autonomous, but the behavior is disclosed and paired with operational controls such as shutdown, retry, and balance threshold features.
"capabilities": [ ... "autonomous-scan-loop", ... "graceful-shutdown", "retry-with-backoff", "balance-pause-threshold" ]
Run it in a supervised environment, confirm shutdown behavior, and set conservative scan and funding limits.