ClawHub

Uniswap Track Performance

v0.1.0

Track the performance of Uniswap LP positions over time — check which positions need attention, are out of range, or have uncollected fees. Use when the user asks how their positions are doing.

0· 697·0 current·0 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the skill is only for checking Uniswap LP positions and delegates the actual checks to a portfolio-analyst subagent. There are no unrelated binaries, services, or capabilities requested in the skill itself.
!
Instruction Scope
SKILL.md limits runtime actions to extracting parameters and invoking Task(subagent_type:portfolio-analyst). However the doc also references wallet configuration and PRIVATE_KEY in the Error Handling section, which expands the scope (access to wallet credentials) without specifying how those credentials are used, stored, or transmitted. The delegation is vague about what data is forwarded to the subagent and whether any external endpoints are contacted.
Install Mechanism
This is instruction-only (no install spec, no code files), which is low-risk. README contains example npx/clawhub install commands pointing to an external GitHub path — those are documentation-only in the package, not an execution/install spec in the skill registry. If you follow those README install commands, they would pull code from an external repo (not part of the runtime spec here), so treat them as separate trust decisions.
!
Credentials
The skill declares no required env vars, yet SKILL.md advises setting WALLET_TYPE and PRIVATE_KEY in Error Handling. That is a mismatch: the skill implicitly expects sensitive wallet credentials but does not declare them as required nor explain why they are needed. Delegating to a subagent that likely needs wallet access raises risk of private-key exposure or unauthorized transactions unless the subagent is explicitly read-only and trustworthy.
Persistence & Privilege
always: false (no forced inclusion). The skill does not request to persist or modify other skills or system-wide settings in its instructions. Autonomous invocation is allowed by platform default (not a unique concern here).
What to consider before installing
This skill seems to do what it says, but it implicitly expects access to a configured wallet/private key even though it doesn't declare required environment variables. Before installing or using it: 1) Ask what the 'portfolio-analyst' subagent does and whether it requires a PRIVATE_KEY or will perform on-chain transactions. 2) Never paste or store your private key into a third-party skill; prefer providing a read-only wallet address for analysis, or use an RPC/subgraph API that only requires public data. 3) If the skill (or portfolio-analyst) requests env vars like PRIVATE_KEY, decline unless you fully trust the code and can audit it; prefer solutions that use a hardware wallet or read-only view keys. 4) If you plan to follow the README's npx/install commands, treat that as a separate trust decision — inspect the remote repo first. 5) Ask the skill author to explicitly list any required env vars and to confirm that analysis will be read-only (no private key transmission or transactions).

Like a lobster shell, security has layers — review code before you run it.

latestvk972emk3ayc2xh1339gxbnrp3180wyr8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments