ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Outsmart LP Sniping

v1.0.0

Buy tokens at or near LP creation on Solana. Use when: user asks about sniping, bonding curve graduation, migration, new pool, LP created, pump fun graduatio...

2· 455·0 current·0 all-time
byvincent so@outsmartchad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (LP sniping on Solana) align with what the skill requires: an 'outsmart' CLI binary and MAINNET_ENDPOINT to talk to Solana and PRIVATE_KEY to sign transactions. These items are expected for on-chain trading/sniping.
Instruction Scope
SKILL.md only instructs use of the outsmart CLI (buy, sell, info, create-pool, add-liq) and does not ask the agent to read unrelated files or exfiltrate data. The instructions explicitly rely on signing and RPC access, which matches the declared env vars.
Install Mechanism
Install spec uses the npm package 'outsmart' to provide a binary. Installing a third-party npm CLI is a normal approach but carries supply-chain risk—verify the package publisher and review source code or releases before installing.
Credentials
Requested env vars (PRIVATE_KEY, MAINNET_ENDPOINT) are proportionate to the task (need to sign transactions and connect to RPC). PRIVATE_KEY is highly sensitive; the skill does not declare a primaryEnv even though PRIVATE_KEY is effectively the primary credential.
Persistence & Privilege
Skill isn't always-on and requests no config paths or system-wide changes. It does not request elevated platform privileges in metadata.
Assessment
This skill appears to be what it says (a CLI-driven sniping helper) but requires your private key and installs an npm package. Before installing/use: 1) Inspect the npm package and its GitHub repo (check maintainers, recent commits, and releases). 2) Prefer running the CLI locally in an isolated environment; do not paste your main private key into unknown machines. 3) Consider using an ephemeral key or a signing service/hardware wallet with limited funds for testing. 4) Verify the MAINNET_ENDPOINT is trusted (don’t use third-party endpoints you don’t control). 5) Be aware of legal/ethical and financial risks of front-running/MEV and high-risk token launches. If you cannot audit the CLI source, treat this as higher risk and avoid providing your main PRIVATE_KEY.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bqkhz2rb0wm4fyjsz1q7g8581qp6c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsoutsmart
EnvPRIVATE_KEY, MAINNET_ENDPOINT

Install

Install outsmart CLI (npm)
Bins: outsmart
npm i -g outsmart

Comments