Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cl Lp Rebalancer
v3.9.2Uniswap V3 集中流动性 LP 自动调仓策略。基于波动率自适应范围宽度:低波动率收紧范围(高资本效率),高波动率放宽范围(减少调仓和 IL)。支持趋势不对称调整、多时间框架分析、自动 claim/remove/swap/deposit 全流程。适用于 EVM L2 链上 CL LP 管理、调仓、范围优化、...
⭐ 0· 244·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, README, SKILL.md and Python code consistently implement a Uniswap V3 concentrated-liquidity rebalancer that calls onchainos CLI and OKX APIs — that is coherent. However the packaged code also includes optional integrations (Binance, Hyperliquid, Discord, Telegram) that go beyond the minimal rebalancer requirements; those integrations can be useful but are not declared in the skill metadata.
Instruction Scope
SKILL.md instructs use of onchainos and to create a local .env with API keys (expected). The actual runtime script (_cl_lp.py_) reads many other local config files (e.g., ~/.openclaw/openclaw.json and multiple dotfiles), environment variables, and may pull notification credentials from unrelated configs. Reading home-directory application config files and multiple credential sources is outside the explicit instructions and grants broader data access than the SKILL.md claims.
Install Mechanism
No install spec is provided (instruction-only with included Python scripts). No external downloads or archive extraction are specified, so there is low install-time risk from arbitrary remote code retrieval.
Credentials
The registry metadata declares no required env vars, but the code expects/uses OKX API keys and passphrase, and optionally TELEGRAM_BOT_TOKEN/CHAT_ID, DISCORD_BOT_TOKEN/CHANNEL_ID, BINANCE_API_KEY/SECRET, HL_WALLET_ADDR, etc. The script also attempts to read those tokens from other local configs. Declaring no required credentials while the code accesses many secrets is a mismatch and increases risk of accidental credential exposure.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes state and logs locally in its references directory (cl_lp_state.json, cl_lp.log) which is expected for a scheduler/agent. The README suggests user-installed cron jobs but the skill itself does not appear to auto-register persistent system-wide changes.
What to consider before installing
This skill implements a plausible LP rebalancer, but it reads and will try to use multiple credentials and local config files that were not declared in the registry metadata. Before installing or running it: 1) Inspect the .env.example and config.json in the skill and do not populate unnecessary credentials (use a dedicated, low-value wallet and scoped API keys). 2) Grep cl_lp.py for places it reads home files (~/.openclaw/openclaw.json, ~/.zeroclaw config files) and remove or sandbox those files if you don't want the skill to access them. 3) Run only safe read-only commands first (python3 cl_lp.py status) and check behavior; do not run tick/tick-loop until you fully trust the CLI (onchainos) and the OKX API key/wallet setup. 4) If you use notification integrations (Telegram/Discord), prefer creating new bot tokens/chat IDs dedicated to this skill and avoid reusing tokens that grant broader access. 5) Consider running the skill in an isolated environment (VM/container) and with minimal funds; revoke or rotate any keys used for testing. If you want a lower-risk alternative, ask the author to remove automatic home-directory/config probing and to explicitly document required environment variables in the registry metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk9776ypem4kn3ha5k5w3hd67y58402za
License
MIT-0
Free to use, modify, and redistribute. No attribution required.