Is kaelxsol/clawsnipe safe?

The skill executes live SOL cryptocurrency trades up to 0.5 SOL per position and 2 SOL total without per-trade user confirmation. Memecoin trading is highly volatile; a single misread browser snapshot, slippage, or UI manipulation event results in an irreversible on-chain loss. The skill also sets stop-losses and take-profits autonomously, meaning the agent can exit positions at a loss while the user is unaware.

The copy-trading flow triggers on any tracked wallet buy exceeding 0.1 SOL and purchases 10-30% proportionally after only a browser-based safety check. An attacker who controls a tracked wallet can orchestrate a pump-and-dump: buy a low-liquidity token, wait for copy-traders to pile in at a higher price, then sell. The skill's safety checks (liquidity > 10 SOL, no single holder > 10%) may be bypassed if the attacker seeds initial liquidity and manages their stake below thresholds.

The very first sentence of SKILL.md's body content reassigns the agent's identity: 'You are an AI trading agent that executes trades on Axiom.' This persona override can suppress the host agent's normal risk-assessment instincts in financial contexts and may cause the agent to prioritize trade execution over user protection when the two conflict.

The skill assumes control of an already-authenticated browser session. Within that session, the user's Solana wallet private key material is not exposed, but wallet address, full balance, all positions, transaction history, and connected account data are readable. All of this flows through axiom.trade, a third-party platform with its own data practices. The skill's design provides no isolation between the skill and this sensitive financial context.

All protective logic (mint authority disabled, liquidity > 10 SOL, no holder > 10%, freeze authority revoked) is implemented by reading text from browser snapshots of axiom.trade. If axiom.trade is compromised via XSS, if a rogue RPC endpoint is injected, if DNS is poisoned, or if token metadata is crafted to display false safety signals, every safety check silently passes. There is no out-of-band verification of any safety indicator.

The installation performed a standard git sparse-checkout from github.com, placed exactly two files into the skill directory, and cleaned up the temporary clone. No unexpected network destinations, no process spawning outside normal git/ssh infrastructure, and no filesystem writes outside the designated skill directory were observed.

Inotify events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials being read at 11:46:52 and again at 11:46:58 (audit timestamps 1771933612 and 1771933630). The git clone does not begin until network connections to 140.82.121.3:443 appear at 11:46:58.544. These reads are attributable to the Oathe pre-install canary placement and post-install integrity verification, not the skill. All hashes are confirmed intact.

The skill consists exclusively of SKILL.md and _meta.json. Filesystem diff confirms only these two files were added. No npm scripts, git hooks, compiled binaries, or shell scripts were introduced. There is no code-execution attack surface from the installed artifact itself.