ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uniswap Submit Limit Order

v0.1.0

Submit a UniswapX Dutch auction limit order. Use when user wants to set a limit price, get MEV-protected execution, or submit an order that fills at the best available price. No gas cost until filled.

0· 837·2 current·2 all-time
by@wpank
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md steps (get quote, submit_uniswapx_order, poll status, check safety) are consistent with submitting UniswapX Dutch auction limit orders. However, the skill depends on platform microservices (mcp__uniswap__*) and a Task(subagent_type:trade-executor) to perform execution; that is reasonable for a trading skill but shifts important capabilities (wallet signing, network submission) out of the skill and into the platform connectors/subagent.
!
Instruction Scope
The SKILL.md instructs the agent to use a trade-executor subagent and several MCP connectors without describing how authentication, signing, or explicit user confirmation for on-chain execution will be handled. The instructions also reference checking token allowlists and spending limits (which implies reading configs or user policy) but do not detail where those policies live or what data is read. This gives the skill broad runtime discretion which could result in on-chain actions if the platform connectors are authorized.
Install Mechanism
No install spec or code files are included; the skill is instruction-only so nothing gets written to disk by the skill itself. Note: README suggests installing from a GitHub location via npx, which is inconsistent with the registry showing no install spec — that external-install suggestion is a discrepancy to be aware of.
!
Credentials
The skill declares no required environment variables or credentials, yet it invokes a trade-executor subagent and MCP connectors that, in practice, will need some form of wallet access or account authorization to submit or finalize orders. The lack of declared credentials or a clear authentication/consent flow is a meaningful mismatch — it's unclear how signing or account access will be obtained and whether user approval will be required for each order.
Persistence & Privilege
always is false and the skill doesn't request persistent system-wide changes. However, the skill is allowed to invoke platform subagents and connectors autonomously (default model invocation enabled). Combined with the other concerns (unexplained execution authority), autonomous invocation could increase risk if platform connectors have broad privileges; on its own this is standard behavior.
What to consider before installing
This skill appears to implement UniswapX limit orders but has unclear trust boundaries. Before installing or enabling it: 1) Confirm how signing and account access are handled — which wallet/account will be used and whether the connector requires long-lived credentials. 2) Ask the platform whether the trade-executor subagent will ask the user for explicit confirmation before submitting any on‑chain transaction. 3) Verify the source of any external install (README points to a GitHub npx install) and avoid running external installers you don't trust. 4) Test with minimal amounts and check safety/allowlist configuration (who controls it?). 5) If you need stronger guarantees, request the skill declare required credentials and an explicit consent/auth flow or provide the trade-executor's audited contract/connector details. If you cannot get clear answers about authentication and consent, treat the skill as higher-risk and prefer manual execution instead of autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f062mfd5k7xc3dy3dmsfv4n80wsv3
837downloads
0stars
1versions
Updated 14h ago
v0.1.0
MIT-0
@wpank
latest
Download

Submit Limit Order

Submit a gasless UniswapX Dutch auction limit order.

Activation

Use this skill when the user says any of:

  • "Set a limit order"
  • "Buy X at price Y"
  • "Submit a UniswapX order"
  • "Limit buy/sell"

Input Extraction

ParameterRequiredDefaultSource
tokenInYesToken name/symbol
tokenOutYesToken name/symbol
amountYesNumeric value
chainNoethereumChain name
limitPriceNomarket priceTarget price
expiryNo5 minutesDuration for Dutch auction decay

Workflow

  1. Validate inputs: Check token allowlist, spending limits, and UniswapX support on the target chain.

  2. Get current market price: Call get_quote to establish the baseline price.

  3. Submit order: Call submit_uniswapx_order with:

    • tokenIn, tokenOut, amount, chain
    • orderType: "dutch" (default) or "priority"

  4. Monitor (optional): Poll get_uniswapx_order_status until filled, expired, or cancelled.

  5. Report:

Limit Order Submitted (UniswapX Dutch Auction)

  Input:   1,000 USDC
  Target:  0.310 WETH (limit: 1 WETH = $3,225)
  Decay:   $3,225 → $3,200 over 5 minutes
  Status:  PENDING
  Order:   0xORDER_HASH...

  Gas: $0.00 (gasless until filled)
  Monitoring: Will report when filled or expired.

Error Handling

ErrorUser MessageSuggested Action
UNISWAPX_NOT_SUPPORTED"UniswapX not available on [chain]."Use supported chain or execute-swap
ORDER_EXPIRED"Order expired without fill."Adjust limit price or increase expiry
SAFETY_TOKEN_NOT_ALLOWED"TOKEN is not on allowlist."Add token to config

Comments

Loading comments...