ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Outsmart Trenching

v1.0.0

Trade memecoins on Solana. Use when: user asks about memecoins, trenching, degen trading, ape, GMGN, Axiom, pump, 100x, alpha, CT, smart money, whale trackin...

2· 480·0 current·0 all-time
byvincent so@outsmartchad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a CLI-driven Solana trading assistant. Requesting an 'outsmart' binary, curl, a PRIVATE_KEY and MAINNET_ENDPOINT is consistent with performing on‑chain trades and RPC calls.
Instruction Scope
SKILL.md instructs the agent to run 'outsmart' commands (info, buy, sell, create-pool, add-liq) and a curl to Jupiter Shield—all within the trading domain. However, the runtime instructions perform live, state-changing actions (trades, pool creation) and do not include explicit user-confirmation safeguards. They therefore grant the agent the ability to sign and send transactions if provided the PRIVATE_KEY.
Install Mechanism
Install uses npm (package 'outsmart') which is a reasonable way to provide the 'outsmart' CLI, but installing third-party npm packages carries supply-chain risk. No direct downloads from arbitrary URLs are used, which reduces risk compared with untrusted archives.
Credentials
Only PRIVATE_KEY and MAINNET_ENDPOINT are required, which are proportionate to on‑chain trading. That said, PRIVATE_KEY is a high‑sensitivity secret that grants full control over the wallet—the skill will use it to sign transactions if supplied. The SKILL.md does not document any least-privilege mitigations (e.g., using a limited, funded burner wallet).
Persistence & Privilege
The skill does not request always:true, does not declare config paths, and is user-invocable only. It does not appear to request persistent system-wide privileges beyond running the CLI.
Assessment
This skill is coherent for trading on Solana, but it requires you to provide a PRIVATE_KEY environment variable and will run commands that can sign and broadcast transactions. Before installing: 1) Verify the npm package (author, version, GitHub repo, recent commits) and prefer installing from the official repository; 2) Do NOT supply your main wallet private key—use a funded burner wallet with limited funds; 3) Prefer an RPC endpoint you control or trust for MAINNET_ENDPOINT; 4) Review the 'outsmart' CLI source code (or run it in an isolated environment/container) to ensure it does not exfiltrate keys; 5) Consider using a hardware wallet or a signing service that avoids exporting private keys to env vars; 6) If you allow autonomous invocation, be aware the agent could execute trades without additional confirmations—disable autonomous invocation or require manual confirmations if you are risk-averse.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fqzxmwf0r0ke7vxv3fm7jfh81p0rj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsoutsmart, curl
EnvPRIVATE_KEY, MAINNET_ENDPOINT

Install

Install outsmart CLI (npm)
Bins: outsmart
npm i -g outsmart

Comments