ClawHub

Outsmart LP Sniping

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Solana trading purpose, but it can use a private key to execute irreversible crypto trades and liquidity actions with limited safety guardrails.

Install only if you understand Solana trading risk and are comfortable giving the `outsmart` CLI access to a dedicated wallet key. Do not use a main wallet; use a low-balance wallet, verify every mint and pool address, set conservative spend and slippage limits where available, and require manual review before every buy, sell, pool creation, or liquidity transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is scoped as an LP-sniping/first-buy tool, but it also instructs users to sell positions and create/add liquidity afterward, expanding behavior into broader active trading and LP management. This scope creep is dangerous because an agent selecting the skill for a narrow first-buy action could be induced into additional irreversible on-chain transactions with materially different risk profiles, including loss from poor exits, pool misconfiguration, or capital deployment into LP positions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill provides concrete buy, sell, create-pool, and add-liquidity commands that can trigger immediate financial transactions, but it does not include explicit warnings about irreversible on-chain execution, slippage, smart-contract risk, MEV exposure, or total loss of funds. In this context, the omission is more dangerous because the skill targets highly speculative, time-sensitive LP sniping, where users are especially likely to act quickly without understanding transactional consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal