ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ghostbot-uniswap-v4

v1.0.0

GhostBot ACLM — AI-powered Automated Concentrated Liquidity Manager for Uniswap v4. Manage liquidity positions, auto-rebalance out-of-range positions, optimize LP fees dynamically, execute limit orders (stop-loss, take-profit), and monitor oracle signals — all from chat. Deployed on Ethereum Sepolia with verified contracts. Use this skill when users ask about DeFi liquidity provision, Uniswap v4 hooks, pool management, LP positions, impermanent loss, or automated market making.

0· 977·0 current·0 all-time
by@aqiljaafree
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, and code files are consistent with an ACLM for Uniswap v4 on Sepolia: scripts read hook/oracle/pool state, add/remove liquidity, mint test tokens, and post oracle signals. The single external dependency (viem) is appropriate for Ethereum interactions.
!
Instruction Scope
SKILL.md instructs the agent/user to run the included scripts and mentions optional env vars and a built-in demo wallet. In reality, scripts (config.mjs) immediately throw if RPC_URL or DEPLOYER_PRIVATE_KEY are not set, so a signing key and RPC endpoint are mandatory to run any write operations. The scripts perform on-chain writes (mint, approve, addLiquidity, postSignal) which legitimately require a private key, but the doc's 'optional/demo' language is misleading and grants broad scope to transact on-chain with whatever key is provided.
Install Mechanism
No remote install spec included; SKILL.md asks the user to run npm install in the scripts directory. package.json only depends on viem (a well-known library). This is a low-risk install pattern, but it does install code to disk and will execute locally-installed Node code when run.
!
Credentials
The code requires RPC_URL and DEPLOYER_PRIVATE_KEY to construct publicClient and walletClient. Those credentials are proportionate to the skill's ability to send signed transactions on Sepolia, but the registry metadata claims 'Required env vars: none' and SKILL.md calls the private key optional with a demo wallet — that inconsistency is important. Supplying a private key gives the scripts full signing authority for that account; users must not use a real/mainnet or high-value key.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system privileges. It doesn't modify other skills or system config. Autonomy settings are default (agent may invoke autonomously), which is expected for a skill, but not itself flagged here.
What to consider before installing
This skill appears to implement an Uniswap v4 liquidity manager and the included scripts will read on-chain state and can sign/send transactions. Before installing or running: 1) Note the inconsistency: the registry metadata lists no required env vars and SKILL.md says a demo wallet exists, but the code (config.mjs) requires RPC_URL and DEPLOYER_PRIVATE_KEY and will throw if they're missing — providing a private key is mandatory to perform any write actions. 2) Never provide a real or high-value private key; use an ephemeral Sepolia test account with minimal funds. 3) Confirm RPC_URL points to a trusted RPC provider (your own node or a reputable provider), and understand that RPC endpoints see metadata about your requests. 4) Review the deployed contract addresses on Etherscan yourself and verify the contract source/owners/authorized bot addresses before posting signals or sending transactions. 5) If you expected an instruction-only read-only helper, do not run the write scripts; running add-liquidity or post-signal will execute transactions that modify contracts and spend tokens. 6) If you want to proceed, set up a throwaway Sepolia key, audit the on-chain contracts, and consider running the scripts in a sandbox environment first. If you need, ask the skill author (or registry owner) to fix the documentation/metadata so required env vars are declared and the 'demo wallet' behavior is clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9n7m5m7dhte1ybve5rb22h80skmd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments