ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ZeroEx Swap

Execute token swaps using the 0x API with support for price quotes, gasless meta-transactions, and on-chain trade history retrieval.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 421 · 0 current installs · 0 all-time installs
by@aviclaw
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (0x swaps, quotes, gasless meta-tx) match the code and SKILL.md. Requested env vars (ZEROEX_API_KEY, PRIVATE_KEY) and dependencies (axios, ethers, viem) are proportionate to making API calls and signing/sending transactions.
Instruction Scope
SKILL.md and the scripts instruct the agent to call 0x endpoints, sign EIP‑712 payloads, and use an RPC provider — all expected. The skill requires the user's private key to sign transactions (sensitive but necessary). The SKILL.md and code do expose and log wallet address and will send data to 0x and to configured/default RPC endpoints (which can observe requests and transactions).
Install Mechanism
There is no opaque install downloader; it's an instruction-only skill with normal npm dependencies declared in package.json. Dependencies (axios, ethers, viem) are appropriate and expected.
Credentials
Requested environment variables are limited and appropriate: ZEROEX_API_KEY (API access) and PRIVATE_KEY (to sign/send swaps). One minor mismatch: swap.js also accepts ZEROEX_PRIVATE_KEY as an alternative but SKILL.md doesn't mention it. No unrelated secrets are requested.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system-wide configs, and has no persistent installation actions declared. Autonomous invocation is allowed but is the platform default.
Assessment
This skill appears to do what it says, but it's handling real funds so proceed carefully: 1) Use a dedicated hot wallet with minimal funds and never use your main seed phrase. 2) Be aware the PRIVATE_KEY must be provided in environment variables — keep it secret and ephemeral; avoid long‑lived env variables on shared systems. 3) The code uses default third‑party RPC endpoints (e.g., llamarpc.com and mainnet.base.org); these providers will see your transactions and addresses — if privacy/trust is a concern, set RPC_URL to your own node or a trusted RPC. 4) Review the code before running; there are small implementation inconsistencies (e.g., swap.js accepts ZEROEX_PRIVATE_KEY but SKILL.md doesn't mention it, and quote.js references path/fileURLToPath without importing them) which are likely bugs rather than malicious. 5) Consider running in a sandboxed environment and test with tiny amounts first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
basevk978bn3je416x1vzkprpw193zs81ksfhdefivk978bn3je416x1vzkprpw193zs81ksfhethereumvk978bn3je416x1vzkprpw193zs81ksfhlatestvk978bn3je416x1vzkprpw193zs81ksfhswapvk978bn3je416x1vzkprpw193zs81ksfh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ZeroEx Swap Skill

⚠️ SECURITY WARNING: This skill involves real funds. Review all parameters before executing swaps.

Install

cd skills/zeroex-swap
npm install

Required Environment Variables

VariableDescriptionRequired
ZEROEX_API_KEYGet from https://dashboard.0x.org/Yes
PRIVATE_KEYWallet private key (hex, without 0x prefix)Yes
RPC_URLRPC endpoint for chain (optional, defaults provided)No

Declared required env vars: ZEROEX_API_KEY, PRIVATE_KEY

export ZEROEX_API_KEY="your-0x-api-key"
export PRIVATE_KEY="your-private-key-hex"
export RPC_URL="https://mainnet.base.org"  # optional

Usage

Get Price Quote

node quote.js --sell USDC --buy WETH --amount 1 --chain base

Execute Swap (sell → buy)

node swap.js --sell USDC --buy WETH --amount 1 --chain base

Execute Swap (buy example)

node swap.js --sell WETH --buy USDC --amount 0.01 --chain base

Trade History

getSwapTrades

curl -s "https://api.0x.org/trade-analytics/swap?chainId=8453&taker=0xYOUR_WALLET" \
  -H "0x-api-key: $ZEROEX_API_KEY" \
  -H "0x-version: v2"

getGaslessTrades

curl -s "https://api.0x.org/trade-analytics/gasless?chainId=8453&taker=0xYOUR_WALLET" \
  -H "0x-api-key: $ZEROEX_API_KEY" \
  -H "0x-version: v2"

Gasless Swap (Meta-transaction)

Flow:

  1. Get gasless quote
  2. Sign EIP-712 payload
  3. Submit meta-tx

1) Get gasless quote

curl -s "https://api.0x.org/gasless/quote?sellToken=USDC&buyToken=WETH&sellAmount=1000000&chainId=8453&taker=0xYOUR_WALLET" \
  -H "0x-api-key: $ZEROEX_API_KEY" \
  -H "0x-version: v2"

2) Sign EIP-712 (use viem)

// use viem to sign quote.trade.eip712
await client.signTypedData({
  domain: quote.trade.eip712.domain,
  types: quote.trade.eip712.types,
  message: quote.trade.eip712.message,
  primaryType: quote.trade.eip712.primaryType
});

3) Submit

curl -s -X POST "https://api.0x.org/gasless/submit" \
  -H "0x-api-key: $ZEROEX_API_KEY" \
  -H "0x-version: v2" \
  -H "Content-Type: application/json" \
  -d '{"trade": {"type":"settler_metatransaction","eip712": {"domain": {"name": "Settler", "chainId": 8453, "verifyingContract": "0x..."},"types": {...},"message": {...},"primaryType":"..."},"signature": {"v": 27, "r": "0x...", "s": "0x...", "signatureType": 2}}}'

Security Best Practices

  • Use a dedicated hot wallet
  • Set slippage protection
  • Approve exact amounts only
  • Use your own RPC via RPC_URL

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…