Outsmart LP Sniping
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is a real-money Solana trading automation that requires a private key and can execute irreversible buys, sells, pool creation, and liquidity actions without clearly documented transaction controls.
Treat this as high-risk real-money automation. Only consider using it with a separate low-balance wallet after auditing and pinning the outsmart CLI, and require manual confirmation of the exact token, amount, slippage, tip, fee, and destination for every transaction.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using a main wallet key could let the installed CLI sign transactions that move or risk real funds.
For a Solana trading skill, PRIVATE_KEY is a high-impact signing credential for real mainnet transactions, but the registry metadata does not declare a primary credential or clear bounds for how the key is used.
Required env vars: PRIVATE_KEY, MAINNET_ENDPOINT; Env var declarations: none; Primary credential: none
Use only a dedicated low-balance wallet, never a main wallet key, and require explicit approval for every transaction amount, token, route, tip, and fee.
A user or agent following the skill could place real trades, sell holdings, or create pools with meaningful loss or market-impact risk.
These are executable commands for irreversible financial actions, including buying, selling, and creating liquidity pools, but the skill does not specify confirmation gates, maximum losses, slippage checks, or other safeguards.
outsmart buy --dex meteora-dlmm --pool POOL --amount 0.05 --tip 0.005 ... outsmart sell --dex jupiter-ultra --token MINT --pct 50 ... outsmart create-pool ... --quote-amount 0.5 --max-fee 9900
Add a required quote/dry-run step and manual confirmation before every on-chain transaction, with explicit limits for spend, percentage sold, slippage, priority tip, and pool fees.
If the npm package is changed, compromised, or not the expected project, it could access the provided private key or submit unintended transactions.
The runnable trading code is fetched from an external npm package with no version pin shown in the provided install spec, while the artifact set contains no code files for review.
node | package: outsmart | creates binaries: outsmart
Verify the package source, pin an audited version, check the GitHub/npm provenance, and prefer checksum or lockfile-based installation before exposing any private key.