Back to skill
Skillv0.1.1
ClawScan security
Base Stable Arb Radar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 2:33 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with a read-only arbitrage monitoring tool: it queries public APIs/RPC endpoints, persists local state, and emits webhook/NDJSON alerts without signing or executing trades.
- Guidance
- This package appears to do what it claims: read-only arbitrage monitoring with local state and optional webhook alerts. Before installing or running it: (1) run it in a controlled environment (container or dedicated directory) since it writes state.json and a cache file next to the code; (2) only provide a webhook URL you trust; (3) do not export private RPC credentials unless you understand they will be used for on-chain queries — the code will use BASE_RPC_URL / ALCHEMY_RPC_URL / INFURA_RPC_URL / RPC_URL if set; (4) note the included shell wrapper references a 'projects/statarb' path which may not match your layout — inspect/adjust the wrapper before use; (5) if you want extra assurance, review the full Python file (it is included) to confirm no unexpected network endpoints are targeted. Overall the skill is internally consistent and read-only (no signing/execution).
Review Dimensions
- Purpose & Capability
- okName/description (Base Uniswap V3 + Aerodrome read-only arb radar) align with the included Python scanner and shell wrapper. The scanner implements cross-DEX comparisons, gas/slippage filters, NDJSON alerts, and state persistence as described.
- Instruction Scope
- noteSKILL.md instructs running the provided scanner and documents the optional ARB_WEBHOOK_URL. The runtime instructions do not ask for unrelated system data. Note: the scanner will read/write local files (state.json and a cache file) and make outbound HTTP requests to CoinGecko, Dexscreener, and RPC endpoints — this is expected for a monitoring tool but worth noting.
- Install Mechanism
- okNo install spec; this is instruction-only with bundled code. No downloads or external install steps that would write arbitrary archives to disk.
- Credentials
- noteThe skill declares no required environment variables and documents ARB_WEBHOOK_URL as optional. The code also checks for RPC environment keys (BASE_RPC_URL, ALCHEMY_RPC_URL, INFURA_RPC_URL, RPC_URL) if present. Asking for RPC URLs is reasonable for a network scanner, but the SKILL.md / README do not explicitly document RPC env var usage — users should not export private RPC credentials to this tool unless intended.
- Persistence & Privilege
- okThe tool persistently writes state.json and a cache file next to the script for adaptive thresholds and de-duplication. always:true is not set and the skill does not attempt to modify other skill or system-wide configs.