Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Uniswap Build Hook
v0.1.0Build a Uniswap V4 hook. Use when user wants to create a custom V4 hook contract. Generates Solidity code, Foundry tests, mines CREATE2 address for hook flags, and produces deployment scripts. Handles the full hook development lifecycle.
⭐ 0· 761·0 current·0 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name and description match what the SKILL.md instructs: generate Solidity, tests, CREATE2 mining and deployment scripts. Allowed tools (forge/npm/git, Task(subagent_type:hook-builder), an MCP getter) are appropriate for that workflow. Minor inconsistency: SKILL.md says it 'does not call MCP tools directly' but mcp__uniswap__get_supported_chains appears in allowed-tools; also the README lists a GitHub install path while the skill metadata marks source as unknown — you should verify the subagent and repo origin before use.
Instruction Scope
Instructions stay within the described development workflow and do not ask to read unrelated system files or credentials. However the skill delegates all behavior to a Task(subagent_type:hook-builder); that subagent could expand scope (read files, request secrets, call external endpoints). The skill itself does not include guardrails requiring code review of generated artifacts.
Install Mechanism
This is an instruction-only skill with no install spec (lowest disk risk). The SKILL.md includes a suggested Foundry install command (curl ... | bash) in its error/help text — a common but higher-risk convenience pattern; the skill won't automatically run it, it only suggests it to the user.
Credentials
The skill requests no environment variables or credentials, which is proportionate. Be aware generated deployment scripts will typically require RPC URLs and private keys to deploy — the skill does not request those but the developer will need to provide them; review scripts to ensure they don't hard-code or exfiltrate secrets.
Persistence & Privilege
always is false and the skill does not request persistent system changes. It delegates to a subagent but does not claim to modify other skills or global agent config.
Assessment
This skill is internally consistent with its purpose, but take these precautions before installing or running it: 1) Verify the provenance — the README points to a GitHub path but the skill metadata lists the source as unknown; confirm the repository and author. 2) Review the hook-builder subagent implementation (Task(subagent_type:hook-builder)) because the skill delegates full code generation and mining to that agent and it could perform additional actions. 3) Expect CREATE2 mining to be CPU/time intensive; test on a dev machine or CI with resource limits. 4) Carefully review generated deployment scripts before using them — they will need RPC URLs and private keys to deploy; never paste private keys into third-party agents and prefer using environment-based or hardware wallet signing. 5) The suggested Foundry install uses curl | bash — if you accept that, run it only from the official Foundry sources and on trusted machines. If you want a lower-risk path, ask the skill to provide code only (no automatic mining or deployment scripts) so you can run compilation/mining locally under your control.Like a lobster shell, security has layers — review code before you run it.
latestvk976324jr37t3h5wtd4th6ywj180wf05
License
MIT-0
Free to use, modify, and redistribute. No attribution required.