ClawHub
Back to skill
v0.1.0

Uniswap Design Integration

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:33 AM.

Analysis

This is a coherent instruction-only Uniswap architecture skill with no code, credentials, or persistence, though users should notice that it can delegate project context to a subagent and has file edit tools available.

GuidanceThis skill appears safe to install as an instruction-only design aid. Before using it on a private repository, avoid sharing secrets, supervise any proposed file edits, and prefer a pinned or registry install source if you need reproducible provenance.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
allowed-tools: >-\n  Read, Write, Edit, Glob, Grep,\n  Task(subagent_type:integration-architect),\n  mcp__uniswap__get_supported_chains

The skill grants file mutation tools even though the documented workflow is to present an integration blueprint. This does not show unsafe behavior, but users should supervise any proposed file changes.

User impactThe agent could potentially create or edit local files if it chooses to use the granted tools.
RecommendationReview and approve any file edits explicitly; if the skill is only needed for advice, consider limiting it to read/search and response-only tools.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
README.md
npx skills add https://github.com/wpank/Agentic-Uniswap/tree/main/.ai/skills/design-integration

The README documents installation from a GitHub branch path rather than a pinned commit or release. For this instruction-only skill the impact is limited, but pinning improves provenance.

User impactInstalling from a moving branch may fetch different skill text in the future.
RecommendationPrefer installing from the registry version or a pinned commit/release when reproducibility matters.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Invoke `Task(subagent_type:integration-architect)` with the full context.

The skill delegates to another agent and may pass full project context, including existing codebase details. This is purpose-aligned for architecture analysis, but it is still a data-boundary point users should notice.

User impactProject details or code snippets included in the request may be shared with the delegated integration-architect agent.
RecommendationAvoid including secrets or unrelated private files in the prompt/context, and confirm that subagent delegation is acceptable for the project.