Skillv2025.4.12

ClawScan security

DEX Arbitrage DEX套利 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 10:48 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what an arbitrage assistant claims, but there are multiple inconsistencies and a high-risk hardcoded billing API key and payment integration that are disproportionate and unexplained.
Guidance: This skill contains real arbitrage code but also includes a built-in billing integration with a hardcoded API key and inconsistent metadata. Treat it as suspicious: do not run it with any sensitive credentials or deploy it in production. Before using/installing, ask the maintainer to: (1) remove the hardcoded BILLING_API_KEY and move secret keys to documented environment variables, (2) reconcile meta.json vs registry-required env vars, (3) provide the missing referenced files or fix SKILL.md, and (4) explain who controls the SkillPay account and how charges are handled. If you must test it, run it in an isolated sandbox with network egress restricted and no wallet/private keys present. Avoid entering personal/private keys or wallet secrets until these issues are resolved.
Findings: [hardcoded_skillpay_api_key] unexpected: payment.py contains a long hardcoded BILLING_API_KEY value. Hardcoded private API keys are unsafe and not expected for a client-side skill; they enable the repository (or anyone running it) to make privileged calls and may indicate leaked credentials. [meta_payment_envs_declared] expected: meta.json declares SKILLPAY_API_KEY and SKILLPAY_USER_ID as required for billing. Declaring payment credentials is reasonable for a paid skill, but this conflicts with the registry 'Required env vars: none' and payment.py's use of a hardcoded key instead of relying on an env var. [referenced_files_missing] unexpected: SKILL.md references files (e.g., scripts/flashloan_arbitrage.sol, scripts/cross_chain_arbitrage.py) that are not present in the file manifest. This inconsistency could be sloppy packaging or an attempt to mislead about included functionality.

Review Dimensions

Purpose & Capability: noteThe skill’s code (price monitor, arbitrage calculator, flashloan generator) matches the DEX arbitrage purpose. However the package embeds a SkillPay billing integration (meta.json + payment.py + SKILL.md payment instructions). The registry metadata provided to the scanner lists no required env vars, but meta.json declares SKILLPAY_API_KEY and SKILLPAY_USER_ID as required — an inconsistency. Charging users can be legitimate for a paid skill, but the billing implementation (see hardcoded API key) is unexpected and needs justification.
Instruction Scope: concernSKILL.md instructs the agent to run/offer scripts and to use external services (Flashbots, private RPCs) which is appropriate for arbitrage. But the documentation references files that do not appear in the manifest (e.g., scripts/flashloan_arbitrage.sol, cross_chain_arbitrage.py), creating a mismatch. The runtime instructions also require performing network calls (payment endpoint, RPCs) and potentially deploying/using contracts — actions that require private keys and credentials that are not declared or scoped in the skill. That vagueness grants broad discretion and is a risk for accidental misuse.
Install Mechanism: okThis is instruction-plus-code with no install spec; nothing is downloaded or extracted at install time. That lowers the install-time risk surface. The included Python scripts will perform network calls at runtime, but there is no installer that pulls arbitrary remote code.
Credentials: concernThere is a clear mismatch between declared required env vars (none) and the skill internals: meta.json declares SKILLPAY_API_KEY and SKILLPAY_USER_ID as required, and payment.py reads SKILLPAY_USER_ID from the environment. Worse: payment.py contains a long hardcoded BILLING_API_KEY string in plaintext. Embedding an API key in code is a significant security/operational risk (exfiltration, unauthorized charges, key compromise) and is disproportionate to the documented arbitrage functionality.
Persistence & Privilege: notealways is false and the skill does not request system-wide configuration changes. The agent can invoke the skill autonomously (platform default). Combined with the billing calls and network-enabled scripts, autonomous invocation increases blast radius, but autonomous invocation alone is normal and not flagged by itself.