ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawDex Trading

Trade tokens on Solana using the ClawDex CLI. Use when the user asks to swap tokens, check balances, get quotes, or manage a Solana trading wallet.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 518 · 5 current installs · 5 all-time installs
by@JoelCCodes
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (Solana trading via ClawDex/Jupiter) matches the CLI commands shown. However the SKILL.md references environment values and paths (JUPITER_API_KEY, SOLANA_RPC_URL, and ~/.config/solana/id.json) that are required for operation but are not declared in the skill's metadata. That omission is an incoherence between declared requirements and actual needs.
!
Instruction Scope
The instructions explicitly direct the agent to run clawdex CLI commands that can simulate and execute real swaps (including a required '--yes' for non-interactive execution). They also reference a local wallet file (~/.config/solana/id.json) and an API key. The skill gives the agent permission to read local config and perform fund-moving operations if the wallet is present — this is beyond a purely read-only or quote-only skill and requires explicit, declared consent mechanisms.
Install Mechanism
There is no install spec in the registry, but the SKILL.md suggests running `npm install -g clawdex@latest`. Installing an npm package at runtime pulls code from a remote package registry and grants it execution on the host; this is a legitimate way to obtain a CLI but increases supply-chain risk and should be acknowledged explicitly in the manifest (package provenance, expected version, and source repository).
!
Credentials
The skill uses and expects secrets/credentials (JUPITER_API_KEY, possibly wallet private key at ~/.config/solana/id.json and RPC URL) yet the skill metadata declares no required env vars or primary credential. Requesting access to a local wallet file and to an API key without declaring them is disproportionate and makes it easy to accidentally expose private keys or allow automated trades.
!
Persistence & Privilege
always:false (good) but model invocation is allowed (default). Combined with instructions that enable non-interactive swaps (`--yes`) and access to a local wallet, the agent could autonomously execute financial transactions if invoked. The skill does not require explicit interactive confirmations in its manifest; that gap increases risk for autonomous agents.
What to consider before installing
This skill can run real trades and expects access to a local Solana wallet and an API key, but those requirements are not declared in the registry metadata — treat it as risky until clarified. Before installing or enabling it: 1) Do not keep high-value private keys at the default path if you plan to let an agent run such skills; use a dedicated low-value wallet for automation. 2) Require explicit user confirmation for any non-simulated swap or disable autonomous invocation for this skill. 3) Verify the clawdex npm package source (repository, authors, recent releases) and consider pinning a known-good version instead of installing latest. 4) Ensure JUPITER_API_KEY and SOLANA_RPC_URL are managed securely (use environment isolation/secrets manager) and rotate credentials if exposed. 5) Ask the skill author to update the manifest to declare required env vars and document the expected wallet usage and safety model — that would materially reduce the risk and could change this assessment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97eqyxarncmvdt4s2ewf1v6wn812fc9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ClawDex — Solana DEX Trading Skill

Trade any Solana token through Jupiter aggregator with simulation, safety guardrails, and full JSON output.

Prerequisites

Before using this skill, ensure ClawDex is installed and configured:

which clawdex || npm install -g clawdex@latest

If not configured yet, run onboarding:

clawdex status --json

If status fails, set up with:

clawdex onboarding \
  --jupiter-api-key "$JUPITER_API_KEY" \
  --rpc "${SOLANA_RPC_URL:-https://api.mainnet-beta.solana.com}" \
  --wallet ~/.config/solana/id.json \
  --json

Commands

Check wallet balances

clawdex balances --json

Returns an array of { token, symbol, mint, balance, decimals } objects. Zero-balance accounts are included in JSON output.

Get a quote (no execution)

clawdex quote --in SOL --out USDC --amount 0.01 --json

Lightweight price check — no simulation, no wallet needed.

Simulate a swap (dry run)

clawdex swap --in SOL --out USDC --amount 0.01 --simulate-only --json

Runs full simulation on-chain without broadcasting. Does not require --yes. Use this to preview the output amount and route before committing.

Execute a swap

clawdex swap --in SOL --out USDC --amount 0.01 --yes --json

--yes is required for non-interactive execution. Without it, ClawDex exits with code 1.

Health check

clawdex status --json

Verify RPC connectivity, wallet validity, and config state.

Trading Workflow

Always follow this sequence:

  1. Health checkclawdex status --json — abort if rpc.healthy is false
  2. Check balancesclawdex balances --json — verify sufficient funds
  3. Simulateclawdex swap --simulate-only --json — preview the trade
  4. Executeclawdex swap --yes --json — only if simulation looks good
  5. Verifyclawdex balances --json — confirm balances updated (may need 5s delay on public RPC)

Token Specification

Tokens can be passed by symbol or mint address:

  • By symbol: SOL, USDC, USDT
  • By mint: EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v

Exit Codes

CodeMeaningAgent action
0SuccessContinue
1General errorCheck message
2Config errorRun onboarding
3Safety violationReduce amount or adjust limits
4Simulation failedTry different pair/amount
5Send failedRetry with backoff

Safety

Set guardrails to prevent runaway trades:

clawdex safety set max_slippage_bps=300 max_trade_sol=1 max_price_impact_bps=100

When a guardrail triggers, the JSON response includes a violations array describing what failed.

Important Rules

  • Always use --json for machine-parseable output
  • Always use --yes for real swaps (not needed for --simulate-only)
  • Never skip simulation unless you have a good reason — use --simulate-only first
  • Parse balance as a string, not a number — it preserves full decimal precision
  • Check exit codes — non-zero means the trade did not succeed
  • Wait before verifying — RPC balance reads can lag a few seconds after a swap

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…