ClawHub

Torch Market

v10.2.6

Every token is its own margin market. Depth-adaptive risk engine, treasury-backed lending, real-token short selling. No oracles. No stored baselines. No keep...

6· 4.7k·3 current·3 all-time
bymr brightside@mrsirg97-rgb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactions
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Torch Market, Solana margin markets) match the actual artifacts: SDK, transaction builders, on-chain program ID, and RPC endpoint requirement. Declared env vars (SOLANA_RPC_URL primary, optional SOLANA_PRIVATE_KEY, optional TORCH_NETWORK) are appropriate for a Solana client that can build/sign transactions or operate read-only.
Instruction Scope
SKILL.md and agent.json describe read-and-build flows, optional local signing, and an RPC-first, non-custodial SDK. The SDK and docs indicate it will fetch token metadata / SAID / CoinGecko as needed (expected). The instructions do not ask for unrelated system files or unrelated credentials, but they do allow signing when SOLANA_PRIVATE_KEY is provided — the docs specifically warn to use a disposable controller key and never a vault authority key.
Install Mechanism
No remote download/install is required by default; the SDK is bundled in lib/torchsdk/ and an optional npm install is declared. There are no extract-from-arbitrary-URL installs or shorteners; install choices are proportionate and traceable (npm/github).
Credentials
Only three env vars are declared (SOLANA_RPC_URL required, SOLANA_PRIVATE_KEY optional, TORCH_NETWORK optional). That is proportional for a Solana client. Important user caveat: the skill supports signing when a private key is provided — the docs repeatedly warn the key must be a fresh/disposable controller key and not a vault authority. If you supply a long-term vault or custodial key, you risk loss of funds.
Persistence & Privilege
always:false and disable-model-invocation:true — the skill is not force-included and has model invocation disabled, reducing autonomous privilege. The skill does not request system-wide config paths or other skills' credentials.
Assessment
This skill appears coherent for interacting with the Torch Market Solana program. Before installing: 1) Only set SOLANA_PRIVATE_KEY if you intend to sign transactions from a disposable controller wallet (do NOT use a vault authority or long-term key). 2) Verify the SOLANA_RPC_URL points to an RPC you trust. 3) The SDK will fetch token metadata (URIs can point to arbitrary hosts/IPFS), so treat returned metadata as untrusted content. 4) Review the bundled lib/torchsdk/ code or prefer local auditing if you plan to auto-sign transactions. 5) Confirm the on-chain program ID (8hbUkon...BeT) and official project links (website/github) independently before depositing value. The skill disables autonomous model invocation, which reduces risk, but supplying a real signing key always increases blast radius — follow the docs' disposable-key guidance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dv7y8z0xd66gnzx5t1y02r584n7r7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Env[object Object], [object Object], [object Object]
Primary envSOLANA_RPC_URL

Comments