ClawHub

Torch Liquidation Bot

v10.0.0

Autonomous vault-based liquidation keeper for Torch Market lending on Solana. Scans all migrated tokens for underwater loan positions using the SDK's bulk lo...

1· 2.5k·0 current·0 all-time
bymr brightside@mrsirg97-rgb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactions
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Torch Liquidation Bot) match the bundled code and runtime instructions: the bot scans lending markets, builds liquidation transactions using the bundled Torch SDK, and signs/submits them via a controller keypair. Required env vars (SOLANA_RPC_URL, VAULT_CREATOR, optional SOLANA_PRIVATE_KEY) are appropriate for this purpose. Minor metadata serialization/display issue seen in the registry summary (shows '[object Object]') but SKILL.md and agent.json correctly list env vars.
Instruction Scope
SKILL.md and the bundled lib/kit code restrict actions to discovering tokens, scanning loan positions, building liquidation transactions, signing with a disposable controller keypair, and submitting via the given Solana RPC endpoint. The skill does not instruct reading unrelated system files or sending data to arbitrary external endpoints. The SDK may fetch token metadata / SAID / CoinGecko as described in audit notes (expected for token metadata), but core operations are RPC-first and local signing. The instructions explicitly prohibit supplying vault authority keys.
Install Mechanism
The package includes bundled JS/TS runtime files (lib/kit, lib/torchsdk), so no remote install is strictly required. SKILL.md/agent.json offer an optional npm install (torch-liquidation-bot@^10.0.0) — that is a standard registry install path (moderate trust). The registry summary's top-level claim 'No install spec — instruction-only' is inconsistent with bundled source and the optional npm entry in metadata; this is likely a metadata labeling issue rather than a malicious download. No download-from-arbitrary-URL or extract operations detected.
Credentials
Requested environment variables are proportionate: SOLANA_RPC_URL (RPC endpoint) and VAULT_CREATOR (vault identifier) are required; SOLANA_PRIVATE_KEY is optional and explicitly recommended to be a fresh disposable controller keypair. No unrelated credentials or broad system secrets are requested. The skill explicitly warns not to supply vault authority keys and describes the principle of vault custody.
Persistence & Privilege
disable-model-invocation is set true (the skill cannot be invoked autonomously by the model), and always is false. The skill runs as a user-invoked agent program and does not request forced persistent inclusion. It does sign and send transactions when run (expected for a keeper); this is an operational privilege but matches the declared purpose.
Assessment
This skill appears to be what it claims: a vault-routed liquidation keeper that scans loans and submits liquidation transactions using a disposable agent key. Before you run it: 1) Read SKILL.md and the bundled lib/kit and lib/torchsdk sources to confirm behavior (sources are included and audited). 2) Never provide your vault authority private key — only use the VAULT_CREATOR pubkey and a fresh disposable controller key (recommended ~0.01 SOL). 3) Start on devnet or a small test vault to confirm behavior and RPC compatibility. 4) Note the optional npm install is not required since code is bundled; if you do npm install, treat third-party registry risk as usual. 5) Be aware the SDK may fetch token metadata (CoinGecko/SAID) for enrichment — acceptable for UI but review network calls if you have strict egress rules. 6) The registry summary had a minor metadata/display inconsistency (env vars shown as '[object Object]'); trust the SKILL.md/agent.json values rather than the terse registry summary. If you need higher assurance, verify the included audit artifacts (audit_sdk.md, audit_program.md, verification.md) and test end-to-end on a fork or devnet before using significant funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk973wfg76x62kx5shnt13fa6m184p54v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Env[object Object], [object Object], [object Object]
Primary envSOLANA_RPC_URL

Comments