ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Outsmart LP Farming

v1.0.0

Manage LP positions on Solana DEXes to earn swap fees. Use when: user asks about LP farming, providing liquidity, earning yield, compounding fees, DLMM, DAMM...

0· 442·0 current·0 all-time
byvincent so@outsmartchad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (LP farming on Solana) matches what's required: a CLI named 'outsmart' and Solana access (PRIVATE_KEY, MAINNET_ENDPOINT). There are no unrelated binaries or credentials requested.
Instruction Scope
SKILL.md only instructs running the outsmart CLI to query, create pools, add/remove liquidity, claim fees and rebalance. It does not ask the agent to read arbitrary files, other env vars, or exfiltrate data. Commands shown require signing and RPC access — consistent with the task.
Install Mechanism
Install uses npm (package 'outsmart') to provide the 'outsmart' binary. npm installs are common but carry supply-chain risk; no arbitrary download URLs or extract steps are present, which reduces risk compared to direct downloads.
Credentials
PRIVATE_KEY and MAINNET_ENDPOINT are appropriate and expected for a CLI that signs Solana transactions and talks to a node. These are sensitive — the skill does not request additional unrelated secrets.
Persistence & Privilege
always:false and no special OS/config paths requested. The skill does not ask to modify other skills or system-wide settings.
Assessment
This skill appears to do what it says, but you should take precautions before installing: 1) Verify the npm package and the linked GitHub repo (maintainer, recent commits, stars, issues) to ensure the CLI is legitimate. 2) Never put your primary long-term private key in an environment variable on shared hosts; prefer a wallet that can sign transactions (hardware wallet or dedicated signing service) or use an ephemeral key with limited funds. 3) Use a trusted RPC endpoint for MAINNET_ENDPOINT (or run your own) to avoid man-in-the-middle or front-running risks. 4) Audit the outsmart CLI code (or run it in a sandbox) before giving it signing credentials; npm packages can carry supply-chain risk. 5) Test commands on devnet/testnet first with small amounts. 6) If you need autonomous agent invocation, be aware the agent could run the CLI without interactive approval — keep credentials restricted. If any of these checks fail, treat the package as untrusted and do not provide your PRIVATE_KEY.

Like a lobster shell, security has layers — review code before you run it.

latestvk97250k04zjkhnc10qbc2jn5dn81qtca

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsoutsmart
EnvPRIVATE_KEY, MAINNET_ENDPOINT

Install

Install outsmart CLI (npm)
Bins: outsmart
npm i -g outsmart

Comments