Is harleyscodes/saucerswap-arbitrage safe?

https://github.com/openclaw/skills/tree/main/skills/harleyscodes/saucerswap-arbitrage

79
CAUTION

The saucerswap-arbitrage skill is a DeFi arbitrage skill targeting Hedera's SaucerSwap DEX; its install process is clean with no prompt injection, no unexpected network connections, and all canary credential files remain intact. However, the skill poses material financial risk: it instructs agents to execute real atomic swaps on Hedera mainnet without built-in user-confirmation steps, lists a SaucerSwap V2 contract address (0xA6F4E11E5D8A3F62A7D4E3E6B1E7F3C9E8F2A1B4) that does not match any known verified deployment, and routes all trade quotes through an unverified third-party API. The skill is not malicious in intent but is dangerous in deployment — it should only be installed in environments where the agent has no autonomous wallet signing access and all trades require explicit human approval.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (9)

HIGH Unverified SaucerSwap V2 Contract Address -20

The skill lists SaucerSwap V2 at 0xA6F4E11E5D8A3F62A7D4E3E6B1E7F3C9E8F2A1B4, an address that does not match any known verified SaucerSwap V2 deployment on Hedera mainnet. SaucerSwap V1 (0xcaec9706a4622D356d2D3aEd8f8D40c51f0C0dF) appears plausible, but the V2 address follows an EVM-style pattern inconsistent with known Hedera deployments. An agent executing swaps against this address could send funds to an unknown or malicious contract with no recourse.

HIGH Mainnet Financial Transaction Execution Without User Guardrails -30

The skill description explicitly invites the agent to 'Execute atomic swaps' and the code example calls ContractExecuteTransaction.setFunction('swap') directly. There are no built-in user-approval checkpoints, confirmation prompts, or abort conditions. An agent equipped with Hedera wallet tools that follows this skill's instructions will execute live mainnet trades autonomously, with real financial consequences.

MEDIUM Third-Party Routing API Dependency Without Integrity Verification -15

All swap route calculations are delegated to mainnet-api.saucerswap.fi with no response signature verification, rate-limiting awareness, or fallback logic. A compromised API, DNS spoofing, or MitM attack could return routes that front-run user trades, route through low-liquidity attacker pools, or return inflated quotes to maximize slippage loss.

MEDIUM Live Blockchain Transaction Code Embedded in Skill -20

SKILL.md contains functional TypeScript that imports axios for HTTP requests and constructs a ContractExecuteTransaction. If an agent with code-execution tools reads this skill and follows its instructions, it will run real Hedera network transactions without any sandboxing or dry-run mode. The code is not pseudocode — it uses real SDK classes.

MEDIUM Contract Execution Targets Unverified Pool Address -15

The ContractExecuteTransaction example calls setContractId(poolAddress), where poolAddress would be resolved from the SaucerSwap V2 address listed in the skill. Since that address is unverified, any agent that executes this code risks submitting a signed Hedera transaction to an unknown contract.

MEDIUM Swap Execution Requires Agent Access to Wallet Credentials -15

Executing the Hedera contract calls described in the skill requires the agent to hold or be granted access to private keys or HashPack wallet signing authority. The skill provides no guidance on secure key handling, scoping, or revocation, increasing the surface for an agent to log, pass, or expose credentials to external tools or logs.

LOW API URL Template Accepts Agent-Controlled Interpolation -10

The routing URL uses JavaScript template literals with agent-supplied variables (tokenA, tokenB, amountIn). In a prompt-injection or jailbreak scenario, an agent could be instructed to substitute sensitive values (API keys, environment variables, file contents) as these parameters, exfiltrating them to the external API host in the URL.

LOW Skill Instructs Agent to Fetch External URLs -15

While not a direct prompt injection, the skill embeds live-URL fetch instructions inside code examples. Any version update to the SKILL.md could silently redirect the fetch target to an attacker-controlled host, causing the agent to exfiltrate data or receive malicious routing responses on future executions without the user's knowledge.

INFO Expected Outbound HTTPS to GitHub During Install 0

A single outbound HTTPS connection to 140.82.121.3 (github.com:443) was observed during installation, consistent with the git sparse-checkout clone of the openclaw/skills monorepo. No unexpected processes, no firewall-blocked attempts, and no connections to non-GitHub hosts were detected.