Is aqiljaafree/ghostbot-uniswap-v4hooks-testnet safe?

https://github.com/openclaw/skills/tree/main/skills/aqiljaafree/ghostbot-uniswap-v4hooks-testnet

67
CAUTION

GhostBot ACLM is a DeFi skill for managing Uniswap v4 liquidity positions that presents several notable concerns: the SKILL.md architecture diagram contains injected shell commands (cd packages/video, pnpm run studio) that are syntactically valid but semantically inconsistent with the surrounding diagram, posing a prompt injection risk for LLM agents. The skill also instructs users to expose Ethereum private keys via shell environment variables and directs the agent to autonomously execute unreviewed Node.js scripts that sign and broadcast blockchain transactions. Canary file integrity was maintained and the install process was clean, but the combination of persona override, embedded commands, private key solicitation, and autonomous financial execution warrants careful review before deployment.

Category Scores

Prompt Injection 52/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH Shell commands injected into architecture diagram code block -30

The SKILL.md architecture section contains cd packages/video and pnpm run studio embedded within a code-fenced ASCII diagram where they have no semantic purpose. These are valid shell commands that do not correspond to the described system architecture. An LLM agent consuming this as a system prompt could interpret them as pending commands and execute them during skill interaction.

HIGH Skill solicits Ethereum private key via environment variable -20

The skill's setup instructions explicitly ask users to export their private key as DEPLOYER_PRIVATE_KEY. The skill's Node.js scripts, which the agent is instructed to execute autonomously, will read this variable and use it to sign blockchain transactions. This exposes the key to any process in the shell environment and to the script author's RPC endpoint.

MEDIUM Full persona replacement overrides agent identity -12

Opening instruction 'You are the GhostBot assistant.' performs a complete persona substitution, which can displace the agent's existing safety-relevant behaviors and baseline instructions configured by the platform or user.

MEDIUM Agent instructed to autonomously execute multiple unreviewed Node.js scripts -15

The skill's response protocol instructs the agent to run scripts for all user interactions without confirmation. These scripts connect to blockchain nodes, read environment variables including private keys, and submit on-chain transactions. Full script source code was not captured in audit evidence.

MEDIUM Agent executes financial transactions autonomously -15

The skill instructs the agent to execute write transactions on Ethereum without per-operation user confirmation. The pattern of autonomous financial transaction execution is high risk, particularly since users may transition from testnet to mainnet usage after becoming comfortable with the workflow.

MEDIUM npm dependency uses open semver range without lock file -10

package.json specifies viem@^2.20.0 without a lockfile in the skill repository. Future npm installs can silently pull newer minor versions, creating supply chain risk.

LOW Placeholder URL in skill body indicates incomplete review -6

Source code URL was left as a placeholder, indicating the skill was published without final review. This reduces confidence in the overall quality and intentionality of the skill's content.

LOW Scripts connect to user-supplied external RPC endpoints -10

RPC_URL is configurable and scripts will send wallet addresses and transaction data to whatever endpoint is configured. A maliciously suggested RPC endpoint could harvest wallet metadata.

INFO Clean install via sparse checkout with expected network connections -8

Installation cloned only the target skill subdirectory from the openclaw/skills monorepo. Network activity was limited to GitHub and Ubuntu system services. No post-install hooks, unexpected processes, or out-of-scope filesystem writes were detected.

INFO No canary file exfiltration detected 0

All honeypot files remained unmodified. Read accesses to canary files in auditd logs are attributable to the monitoring system's pre/post install integrity check, not to skill scripts.