ClawHub

Uniswap Manage Liquidity

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for Uniswap liquidity management, but it needs review because it can drive real wallet approvals and transactions while under-specifying confirmation and key-handling safeguards.

Review carefully before installing with a real wallet. Verify the referenced liquidity-manager, pool-researcher, and Uniswap MCP setup; avoid putting a raw private key in plaintext .env if possible; use a wallet, hardware signer, or secure secret manager; and only sign after checking chain, token addresses, pool, amount, spender, approval limit, expiry, gas, slippage, and transaction summary. Prefer limited approvals and revoke unused approvals afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises adding/removing liquidity and collecting fees but does not clearly warn that these actions can trigger real blockchain transactions, spend tokens, require approvals, and be irreversible once confirmed. In a wallet-connected agent context, this omission can cause users to underestimate the financial risk and authorize transactions they do not fully understand.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill instructs operators to place a PRIVATE_KEY in a .env file, which encourages long-lived secret storage in plaintext configuration. In an agentic system with tool access and possible logging, prompt leakage, repo exposure, or local compromise, this materially increases the risk of wallet theft and irreversible loss of funds.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal