Skills
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: rerange-skill Version: 1.0.2 The Rerange skill bundle is a legitimate DeFi toolset for managing non-custodial liquidity orders. The core logic in `index.js` is limited to read-only contract calls and calldata encoding using the `viem` library, and the documentation across `SKILL.md` and other markdown files consistently emphasizes safety, risk checks, and the strict avoidance of private key handling or unauthorized asset withdrawals.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent may prepare vault transactions that can affect funds or DeFi positions.
The skill documents powerful vault call and multicall capabilities. The same text limits them to explicit owner-approved use, so this is a disclosed high-impact capability rather than hidden behavior.
`RerangeVault.call(target, value, data)` for explicit owner-approved calls ... `RerangeVault.multicall(targets, values, data)` for explicit owner-approved batches
Review the exact target, value, calldata purpose, and wallet prompt before approving any vault call, multicall, open, close, or rerange transaction.
A delegated agent could manage orders until the configured expiry, so an overly broad or long-lived delegation could create financial risk.
The skill supports delegated agent authority over vault/order management. It is bounded by expiry and stated scope, but still affects wallet and vault permissions.
Use `setAgent(agent, accessExpiresAt)` for session-key-like delegation ... `scope`: `order_management_only`
Use short expirations, order-management-only scopes, and never delegate withdrawal authority or unlimited wallet permissions.
If the SDK or fallback path is not the expected trusted code, deployment addresses, ABIs, or calldata could be wrong.
The helper imports an external SDK and can fall back to a sibling local SDK path. This is disclosed development plumbing, but it means helper correctness depends on dependency provenance.
const wagmi = await importWithFallback("@rerange/wagmi", "../sdk/dist/index.js")Install dependencies from trusted sources, prefer locked versions in production, and avoid using an unexpected local `../sdk` fallback.
Stored monitoring records could expose which wallet, vault, and strategy a user is using if agent memory is shared or compromised.
The skill asks agents to persist order identifiers, owner/vault addresses, and intent metadata for monitoring. This is purpose-aligned but may reveal trading or portfolio context.
Persist this minimal record: ... `order_key` ... `owner` ... `vault` ... `intent`
Store only the needed monitoring metadata, protect agent memory, and clear old order records when monitoring is no longer needed.
A configured monitor or resolver may continue checking orders and, if separately authorized, may submit maintenance transactions over time.
The skill describes recurring monitoring and resolver scanning cadences. This is expected for persistent liquidity orders, but it is autonomous ongoing activity.
Active user-facing orders: every 5 to 15 minutes. Resolver candidate scans: every block to every 5 minutes
Set explicit schedules, stop conditions, gas limits, and authorization boundaries for any long-running monitor or resolver.