Uniswap Pool Analysis
v0.1.0Analyze Uniswap pool data including liquidity distribution, fee tiers, tick ranges, and TVL. Use when the user asks about pool metrics, liquidity analysis, or wants to query on-chain pool state.
⭐ 0· 765·2 current·2 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the instructions align: the SKILL.md describes reading Uniswap pool state (slot0, liquidity, ticks) via viem and computing distributions — all appropriate for a 'Uniswap Pool Analysis' skill. Nothing in the task appears unrelated to pool analysis.
Instruction Scope
The runtime instructions explicitly use process.env.ETHEREUM_RPC_URL and recommend using a shared 'packages/common/' chain config and subgraph endpoints. However the skill declares no required env vars or config paths. The SKILL.md therefore directs the agent to access environment variables and repository-local configuration that are not announced — this is scope creep and could cause the agent to read secrets or local files unexpectedly.
Install Mechanism
This is instruction-only with no install spec or code files, so there is no installer-writing-to-disk risk from the published bundle. Note: README contains example npx install commands pointing at a GitHub path and 'clawhub' which would pull external code if the user follows them — that is external to the published skill and should be audited separately.
Credentials
The SKILL.md expects an ETHEREUM_RPC_URL and mentions RPC URLs, subgraph endpoints, and shared chain config, but requires.env is empty and no primary credential is declared. Requesting an RPC URL (often a secret if using a paid provider) is reasonable for the purpose, but the omission of any declared env requirements is an incoherence that could lead to silent attempts to read environment variables or fallback to user/system defaults.
Persistence & Privilege
The skill does not request persistent/always-on presence (always: false) and does not attempt to modify other skills or system config in the published content. Autonomous invocation is allowed by platform default, which is normal; there are no extra privilege requests in the bundle.
What to consider before installing
This skill appears to do what it says (on-chain Uniswap pool analysis) but there are a few inconsistencies you should resolve before installing or running it:
- SKILL.md reads process.env.ETHEREUM_RPC_URL but the skill does not declare any required environment variables. Decide which RPC provider you will use and whether that URL is OK to supply (do not provide private keys or account secrets). Prefer read-only public RPC endpoints or carefully scoped provider keys.
- The instructions reference a local 'packages/common/' chain config and subgraph endpoints. Verify whether that config exists in your environment or in the external repository referenced by the README; otherwise the agent may try to read files that aren't present.
- The README shows example install commands that fetch code from a GitHub repo and via 'clawhub' — if you follow those, audit the remote repo before running any installer (it may contain code not present in this published bundle).
- If you want to use this skill, ask the publisher to update requires.env to declare ETHEREUM_RPC_URL (and any other needed endpoints), or provide clear guidance on safe default endpoints. Also request clarification about the 'packages/common/' dependency.
Confidence: medium — the core functionality is coherent, but missing declarations around network endpoints/config are non-trivial and could cause unexpected environment access if not clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97a7z4n850hjz70wvetgs6jh180x6qd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.