Is joelccodes/clawdex-trading safe?

https://github.com/openclaw/skills/tree/main/skills/joelccodes/clawdex-trading

64
CAUTION

The clawdex-trading skill describes legitimate Solana DeFi trading functionality via the Jupiter aggregator, and its install-time clone behavior is clean (GitHub only, no suspicious processes). However, it carries significant deferred risk: the skill instructs agents to globally install the unverified, unpinned npm package 'clawdex@latest', which receives the user's Solana private key (~/.config/solana/id.json) and API credentials as process arguments, and is authorized to execute irreversible mainnet transactions with the '--yes' flag bypassing all confirmations. A supply-chain compromise of the clawdex npm package would give an attacker full wallet control with no additional user interaction required.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 48/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 42/100 · 5%

Findings (7)

HIGH Auto-install of unverified, unpinned npm package -40

SKILL.md instructs the agent to run 'npm install -g clawdex@latest' if clawdex is not already installed. The package is unpinned (@latest), unverified against any integrity hash, and installed globally. npm postinstall hooks execute arbitrary code at install time. A future supply-chain compromise of the clawdex npm package would affect all users of this skill silently.

HIGH Solana private key passed to unverified binary -30

The onboarding command passes '--wallet ~/.config/solana/id.json' directly to the clawdex process. This file contains the Solana account private key. Because clawdex is an unverified npm package, it can read and transmit this key. Combined with real transaction execution, a compromised clawdex would have full control over the user's wallet.

MEDIUM API keys and RPC URLs passed to unverified CLI -18

The skill passes $JUPITER_API_KEY and $SOLANA_RPC_URL environment variables as command-line arguments to clawdex. Command-line arguments are visible in /proc and can be logged by the process. An unverified clawdex binary could log and transmit these credentials.

MEDIUM Real irreversible financial transactions with confirmation bypass -35

The skill explicitly recommends '--yes' to bypass interactive confirmation on swap commands, and the Trading Workflow section instructs the agent to execute real Solana mainnet swaps. If an attacker compromises the clawdex binary or injects malicious token addresses, the agent will execute and confirm real financial transfers without user review.

MEDIUM Supply chain persistence risk -20

Because npm install -g clawdex@latest is tied to @latest, any future publish of a malicious version of the clawdex package to the npm registry will be silently picked up on the next agent invocation, even months after the skill was reviewed. There is no lockfile or integrity pin.

LOW Clone sourced from community monorepo, not author's own repo -12

The skill is distributed via the shared openclaw/skills monorepo, meaning any contributor to that repository could potentially modify this skill. The _meta.json points to a specific commit hash which provides some integrity guarantee, but the @latest npm tag creates a divergence point.

INFO Canary files read in batches — consistent with audit infrastructure -7

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud ADC) were read at identical millisecond timestamps both before (1771919598.668) and after (1771919615.333) installation. This batch pattern is characteristic of the oathe audit harness performing baseline and post-install integrity verification, not of the skill probing credentials.