Outsmart LP Farming

WarnAudited by ClawScan on May 10, 2026.

Overview

This skill is a real-money Solana liquidity-management tool that needs a wallet private key and can move funds, so it should be reviewed carefully before use.

Install only if you intentionally want an agent-assisted DeFi tool to manage real Solana liquidity positions. Use a separate wallet with limited funds, verify the outsmart CLI package, check every pool/token address and amount, and require explicit confirmation before any transaction.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

If used with a main wallet, the skill or installed CLI could spend or reposition real funds on Solana.

Why it was flagged

The skill requires a Solana wallet private key and mainnet endpoint, giving the CLI authority to sign real on-chain transactions.

Skill content

"requires": { "bins": ["outsmart"], "env": ["PRIVATE_KEY", "MAINNET_ENDPOINT"] }

Recommendation

Use only a dedicated low-balance wallet, avoid exposing a primary private key, and verify the CLI source and each transaction before signing.

High

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or over-autonomous invocation could add, remove, or allocate liquidity in ways that lose money or create unwanted public on-chain actions.

Why it was flagged

The documented workflow includes fund-moving and pool-creation commands, including full liquidity removal, without documented confirmation gates, limits, or transaction preview requirements.

Skill content

outsmart add-liq ...; outsmart remove-liq --dex meteora-dlmm --pool POOL --pct 100; outsmart create-pool ... --max-fee 9900

Recommendation

Require explicit user approval for every transaction, review exact token/pool addresses and amounts, and prefer quote or dry-run steps before state-changing commands.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The safety of the fund-moving behavior depends on the external package that will be installed.

Why it was flagged

The skill depends on an external npm package to perform the actual wallet operations, while the provided artifact set contains only SKILL.md and no reviewable CLI code.

Skill content

node | package: outsmart | creates binaries: outsmart

Recommendation

Inspect the npm package and GitHub repository, confirm the package name and version, and install only from a trusted source.