ClawHub

Swap and bridge across 35+ chains with LI.FI

v1.0.2

Cross-chain token swaps and bridges via the LI.FI protocol. Get quotes, execute transfers, track progress, and compose DeFi operations across 35+ blockchains.

2· 602·0 current·0 all-time
byRahul Sethuram@rhlsthrm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md teaches the agent to call LI.FI endpoints to get quotes, routes, and transactionRequest objects. Declared requirements are minimal (curl). One minor inconsistency: registry lists a primary credential LIFI_API_KEY but 'Required env vars' is empty — SKILL.md states the API key is optional for higher rate limits. Overall the requested capabilities align with the stated purpose.
Instruction Scope
Instructions are narrowly scoped to calling LI.FI endpoints (via curl), deriving routes/quotes, and returning transactionRequest objects for signing. They do not instruct reading arbitrary local files or unrelated environment variables. Important operational caution: the skill instructs agents to hand transactionRequest objects to 'the agent's wallet' for signing — the SKILL.md does not prescribe a secure signing flow, so there is risk if an agent asks users to paste private keys or if the agent is allowed to sign autonomously.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk; required binary is only curl. That is the lowest-risk install surface.
Credentials
The skill declares LIFI_API_KEY as the primary credential (used optionally via the x-lifi-api-key header) and otherwise requires no environment variables — this is proportionate. Verify that you do not provide wallet private keys or other credentials to the agent; the skill does not declare any wallet-private-key env vars, so such access would be out-of-scope and risky.
Persistence & Privilege
The skill is not always-installed (always: false) and does not request persistent system privileges or to modify other skills. Autonomous invocation is allowed (platform default) but that alone is not a concern here.
Assessment
What to check before installing/using: 1) Domain verification: SKILL.md calls the API at https://li.quest/v1 while README references docs.li.fi and apidocs.li.fi — confirm that li.quest is the legitimate LI.FI API host you expect. 2) Never paste or store your wallet private key or seed phrase in the agent; prefer an external/hardware wallet or a signing flow that keeps keys off the agent. 3) Do not allow the agent to sign transactions automatically without an explicit human confirmation step; always inspect transactionRequest fields (to, data, value, gas) before signing. 4) If you provide a LIFI_API_KEY, treat it like a normal API key (rate-limit or restrict if possible) — the key is optional and used for rate limits. 5) Since this skill issues HTTP requests via curl, consider network policies and audit logs if you run agents in sensitive environments. If any of the above are unacceptable or unclear, review the SKILL.md/README with the skill author or avoid giving the agent wallet-signing capability.

Like a lobster shell, security has layers — review code before you run it.

bridgevk975ergjyngv9jx5tgtqr92qrs818nxhcrosschainvk975ergjyngv9jx5tgtqr92qrs818nxhdefivk975ergjyngv9jx5tgtqr92qrs818nxhlatestvk975ergjyngv9jx5tgtqr92qrs818nxhlifivk975ergjyngv9jx5tgtqr92qrs818nxhswapvk975ergjyngv9jx5tgtqr92qrs818nxh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔗 Clawdis
Binscurl
Primary envLIFI_API_KEY

Comments