ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tempo Stable + Uniswap Swaps

v1.0.0

Tempo stablecoin and token swap operations for agents. Use when working with pathUSD/USDC.e balances, swapping between USDC.e and pathUSD, or executing any-t...

0· 187·0 current·0 all-time
by@aviclaw

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for aviclaw/tempo-stable-uniswap-swaps.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tempo Stable + Uniswap Swaps" (aviclaw/tempo-stable-uniswap-swaps) from ClawHub.
Skill page: https://clawhub.ai/aviclaw/tempo-stable-uniswap-swaps
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tempo-stable-uniswap-swaps

ClawHub CLI

Package manager switcher

npx clawhub@latest install tempo-stable-uniswap-swaps
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the stated purpose (Tempo swaps, pathUSD/USDC.e, Uniswap Trade API). However the registry metadata lists no required env vars or binaries while the SKILL.md explicitly requires PRIVATE_KEY, UNISWAP_API_KEY, and tools (cast/curl/jq). The missing declarations are an incoherence (likely sloppy metadata) that increases risk because sensitive requirements are not surfaced.
!
Instruction Scope
Runtime instructions tell the agent to use a PRIVATE_KEY to derive wallet addresses, build/send transactions, approve Permit2 with effectively unlimited allowance, call Uniswap trade API with an API key, and optionally run a remote Foundry installer. The instructions do not ask to read unrelated files, but they do perform high-impact actions (signing/broadcasting transactions and setting broad approvals) that require the user's private key and therefore carry high risk if misused.
Install Mechanism
There is no formal install spec (skill is instruction-only), which is low risk. But the SKILL.md suggests installing Foundry via a remote curl | bash from foundry.paradigm.xyz — an external installer executed from a script is higher-risk operationally (even if the host is a known provider). This should be considered when following the instructions.
!
Credentials
The env/credential needs in the instructions (PRIVATE_KEY and UNISWAP_API_KEY, optional RPC_URL) are plausible for a swap tool, but the registry metadata failing to declare them is a mismatch. The PRIVATE_KEY is extremely sensitive (gives full wallet control). UNISWAP_API_KEY is reasonable, RPC_URL optional. The skill also instructs granting very large Permit2 allowances — functional for swaps but increases exposure if keys are compromised.
Persistence & Privilege
The skill does not request always:true, does not supply an install that writes persistent code, and does not claim to modify other skills or global agent settings. Autonomous invocation is allowed (default) which increases blast radius when combined with PRIVATE_KEY access, but that default alone is not flagged per policy.
What to consider before installing
This skill contains valid, actionable instructions to perform token swaps on Tempo, but it expects you to provide a PRIVATE_KEY (full control of the wallet) and an UNISWAP_API_KEY even though the published metadata did not declare those requirements — treat that as a red flag. Before using or installing: - Do not supply your primary/private mainnet key. Use an ephemeral or tightly funded wallet, or a hardware wallet with manual signing. If you must provide PRIVATE_KEY to an automated agent, accept the risk that the agent could broadcast arbitrary transactions. - Limit Permit2 approvals: avoid the unlimited/huge allowance pattern unless you understand and accept the exposure. Approve minimal amounts or use short expirations where supported. - Verify endpoints and addresses: confirm RPC_URL, token addresses, Permit2 address, and Uniswap API host are correct and official for Tempo mainnet. - Be cautious about running remote installers (the SKILL.md suggests curl | bash for Foundry). Prefer installing tools manually from verified sources or using package managers you trust. - Consider asking the publisher to update the skill metadata to explicitly declare required env vars and binaries (PRIVATE_KEY, UNISWAP_API_KEY, cast/curl/jq) so risks are visible before install. If you cannot accept these risks or cannot constrain the key/allowances, do not use this skill. If you proceed, test with a small amount or on a non-production wallet first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dgyfsm77ac1c43rxwnygfq1836dv6
187downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
@aviclaw
latest
Download

Tempo Stable + Uniswap Swaps

Use this skill for low-friction Tempo execution with Foundry (cast) and Uniswap Trade API.

One-File Mode (Clawhub-Friendly)

Use this SKILL.md alone. No other files are required.

If scripts are unavailable, run the command playbooks in this file directly.

Network + Tokens

  • Chain: Tempo mainnet (chainId=4217)
  • RPC: https://rpc.presto.tempo.xyz
  • pathUSD: 0x20C0000000000000000000000000000000000000
  • USDC.e: 0x20c000000000000000000000b9537d11c60e8b50
  • TDOGE: 0x20C000000000000000000000d5d5815Ae71124d1
  • Permit2: 0x000000000022D473030F116dDEE9F6B43aC78BA3

Foundry Prereq Check (Required)

Check:

command -v cast && cast --version

Install if missing:

curl -L https://foundry.paradigm.xyz | bash
foundryup

pathUSD vs USDC.e

  • pathUSD is Tempo-native infrastructure stablecoin used in routing/fees.
  • USDC.e is bridged stablecoin liquidity.
  • Do not attempt exact full-balance pathUSD transfers; leave fee headroom.

Required Tools + Env

  • Tools: cast, curl, jq
  • Env:
    • PRIVATE_KEY
    • UNISWAP_API_KEY
    • Optional: RPC_URL (default above)

Quick Balance Checks

WALLET=$(cast wallet address --private-key "$PRIVATE_KEY")
cast call 0x20C0000000000000000000000000000000000000 \
  "balanceOf(address)(uint256)" "$WALLET" --rpc-url "${RPC_URL:-https://rpc.presto.tempo.xyz}"
cast call 0x20c000000000000000000000b9537d11c60e8b50 \
  "balanceOf(address)(uint256)" "$WALLET" --rpc-url "${RPC_URL:-https://rpc.presto.tempo.xyz}"

Transfer pathUSD

cast send 0x20C0000000000000000000000000000000000000 \
  "transfer(address,uint256)" <TO> <AMOUNT_RAW> \
  --private-key "$PRIVATE_KEY" --rpc-url "${RPC_URL:-https://rpc.presto.tempo.xyz}" --gas-limit 100000

Swap Any Token on Tempo via Uniswap (Exact Input)

  1. Quote:
curl -sS https://trade-api.gateway.uniswap.org/v1/quote \
  -H 'content-type: application/json' \
  -H "x-api-key: $UNISWAP_API_KEY" \
  --data '{
    "type":"EXACT_INPUT",
    "amount":"<AMOUNT_IN_RAW>",
    "tokenInChainId":4217,
    "tokenOutChainId":4217,
    "tokenIn":"<TOKEN_IN>",
    "tokenOut":"<TOKEN_OUT>",
    "swapper":"<WALLET>",
    "slippageTolerance":2.5
  }'
  1. Ensure approvals: TOKEN_IN -> Permit2:
cast send <TOKEN_IN> "approve(address,uint256)" \
  0x000000000022D473030F116dDEE9F6B43aC78BA3 \
  0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
  --private-key "$PRIVATE_KEY" --rpc-url "${RPC_URL:-https://rpc.presto.tempo.xyz}" --gas-limit 900000

Permit2 -> spender (spender from quote permitData.values.spender):

EXP=$(( $(date +%s) + 31536000 ))
cast send 0x000000000022D473030F116dDEE9F6B43aC78BA3 \
  "approve(address,address,uint160,uint48)" \
  <TOKEN_IN> <SPENDER> 1461501637330902918203684832716283019655932542975 "$EXP" \
  --private-key "$PRIVATE_KEY" --rpc-url "${RPC_URL:-https://rpc.presto.tempo.xyz}" --gas-limit 900000
  1. Build swap tx from quote object (POST /v1/swap with { "quote": <quote_object> }), then simulate:
curl -s "${RPC_URL:-https://rpc.presto.tempo.xyz}" -H 'content-type: application/json' --data \
'{"jsonrpc":"2.0","id":1,"method":"eth_call","params":[{"from":"<WALLET>","to":"<SWAP_TO>","data":"<SWAP_DATA>"},"latest"]}'
  1. Broadcast:
cast send <SWAP_TO> "<SWAP_DATA>" \
  --private-key "$PRIVATE_KEY" \
  --rpc-url "${RPC_URL:-https://rpc.presto.tempo.xyz}" \
  --gas-limit <GAS_LIMIT> --gas-price <MAX_FEE_PER_GAS>

Known Errors

  • AllowanceExpired(...): set Permit2 allowance for token+spender.
  • InsufficientAllowance: approve token to Permit2.
  • Quote exists but swap reverts: refresh quote and retry.
  • Full pathUSD transfer fails: leave fee headroom.

Optional Script

If available, use:

scripts/uniswap_exact_input_swap.sh --token-in <TOKEN_IN> --token-out <TOKEN_OUT> --amount-in <RAW_AMOUNT>

Comments

Loading comments...