ClawHub

Uniswap Rebalance Position

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about rebalancing Uniswap LP positions, but users must treat it as real-money transaction guidance and verify every wallet prompt.

Install only if you understand that rebalancing can irreversibly move real assets, realize impermanent loss, incur gas/slippage, create token approvals, and generate a new LP NFT. Before signing, verify chain, pool, position ID, token amounts, range, slippage, recipient, deadline, approval limits, and the liquidity-manager subagent being used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes a workflow that closes and reopens Uniswap LP positions, which can materially change asset balances, realize impermanent loss, and incur gas/slippage costs, but it does not warn users that these are irreversible on-chain transactions with financial consequences. In a skill explicitly designed to automate rebalance actions, the lack of prominent transaction-risk and asset-impact disclosure increases the chance that users execute harmful trades without informed consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation phrases are broad enough to match ambiguous portfolio or troubleshooting requests, which can cause this high-risk transactional skill to trigger when the user did not explicitly intend a rebalance workflow. In this context, the skill can lead to prompts that steer the user toward closing and reopening LP positions, an irreversible financial action with gas costs, realized impermanent loss, and possible loss from poor timing, so overbroad invocation materially increases risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal