Torch Liquidation Bot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: torchliquidationbot Version: 10.7.1 The skill bundle implements an autonomous liquidation bot for the Torch Market protocol on Solana. The code follows a security-conscious architecture using ephemeral, in-process keypairs and a vault-based escrow system to limit the agent's financial authority. Analysis of the bot logic (lib/kit/index.js) and the underlying SDK (lib/torchsdk/) confirms that private keys are never transmitted or stored, and network activity is restricted to standard Solana RPC calls, price fetching from CoinGecko, and reputation checks via SAID Protocol. The metadata URI fetching in tokens.js includes a 10-second timeout to mitigate potential SSRF/hanging risks, and the overall implementation aligns perfectly with the extensive security documentation provided.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If started with a linked vault, the bot can repeatedly spend vault SOL on liquidations and change on-chain financial positions.
The skill clearly discloses that it can autonomously build, sign, submit, and confirm liquidation transactions, which is expected for the stated liquidation-bot purpose but financially impactful.
This is not a read-only scanner. This is a fully operational keeper that generates its own keypair, verifies vault linkage, and executes liquidation transactions autonomously in a continuous loop.
Run it only if you intend autonomous liquidations; use a vault with limited funds, monitor activity, and stop the bot if behavior or market conditions are not acceptable.
Supplying the wrong private key, especially a vault authority key or valuable wallet, could expose far more authority than the bot needs.
The skill may use a Solana private key and vault linkage, but it describes the key as optional and gives appropriate guidance to use only a disposable controller key.
"SOLANA_PRIVATE_KEY" ... "sensitive": true ... "Should be a fresh keypair with ~0.01 SOL for gas. Holds no value. All liquidation capital lives in the vault. NEVER supply a vault authority key."
Prefer the generated/disposable controller key, never provide a main wallet or vault authority key, and verify which wallet is linked to the vault.
Installing from npm instead of using the bundled reviewed code could run a package version different from the bundled artifacts.
The documented optional npm install uses a version range, which can resolve to later compatible releases; this is a normal install pattern but users should verify provenance for financial automation.
package: torch-liquidation-bot@^10.7.1 ... "Install Torch Liquidation Bot (npm, optional -- SDK is bundled in lib/torchsdk/ and bot source is bundled under lib/kit on clawhub)"
If using npm, pin and verify the exact package version and source; otherwise prefer the bundled code path when available.
Once started, the bot may continue scanning and attempting liquidations until stopped.
The bot is intentionally long-running and autonomous, but the behavior is disclosed and paired with operational controls such as shutdown, retry, and balance threshold features.
"capabilities": [ ... "autonomous-scan-loop", ... "graceful-shutdown", "retry-with-backoff", "balance-pause-threshold" ]
Run it in a supervised environment, confirm shutdown behavior, and set conservative scan and funding limits.