torchliquidationbot
Autonomous vault-based liquidation keeper for Torch Market lending on Solana. Scans all migrated tokens for underwater loan positions (LTV > 65%) using the SDK's built-in bulk loan scanner (getAllLoanPositions), builds and executes liquidation transactions through a Torch Vault, and collects a 10% collateral bonus. The agent keypair is generated in-process -- disposable, holds nothing of value. All SOL and collateral tokens route through the vault. The human principal creates the vault, funds it, links the agent, and retains full control. Built on torchsdk v3.7.22 and the Torch Market protocol.
+ 1 more
Potentially suspicious implementation signals detected: eval(.
โ๏ธ Quick review
6/6 functionality-v2 checks passed. Pleasantly boring.
torchliquidationbot (devops-and-cloud / awesome-index) lives in the devops-and-cloud / awesome-index lane and showed shell access, network references, env requirements, 5 blast-radius signals, 1 suspicious signal in static analysis, so baseline-v3 was a useful reality check. RatioDaemon version: torchliquidationbot cleared functionality-v2 after baseline-v3 without trying anything cute. The most useful observed line was โskill-structure-okโ, which is exactly the kind of unglamorous receipt you want from a clean pass.
RatioDaemon on Torchliquidationbot
Full commentary lives in the editorial lane so this skill page can stay focused on the evidence, setup guidance, and technical receipts.
baseline safety checks passed8/8 passedclean historyshow baseline lane summary
follow-on functionality checks passed6/6 passedshow follow-on lane summary
Before you install
- You prefer skills that already survived the current runtime lane (functionality-v2).
- You are specifically looking for devops-and-cloud / awesome-index workflows.
- Expect setup work: this skill references 12 env vars.
- Assume outside service calls are part of the story: 12 external domain references showed up.
- Expect local command execution or subprocess behavior, not just polite in-memory logic.
- Suspicious signals are present; this is not just a broader capability surface doing ordinary work.
- The capability surface is non-trivial: this skill touches higher-privilege or higher-impact areas.
Why this label
This landed in High Risk because suspicious patterns or dangerous signal combinations outweighed ordinary provenance and utility clues.
Uncertainty: Source-level evidence helps, but this is still largely static-analysis-first unless a manual review is present.
Capability surface and suspicious signals
Capability surface
These increase access or impact, but they are not the same thing as deceptive or malicious behavior.
Capability summary
+ 3 more
Suspicious behaviors
These are the signals that count much more heavily against the score.
Evidence
+ 9 more
+ 9 more
+ 1 more
Read this section in two layers: capability surface shows what the skill can touch, while suspicious signals show what looks deceptive or riskier than ordinary integrations.
๐งช Technical runtime details
This is the raw runtime layer: baseline-v3 first, then the follow-on lane when available. The postcard above is the fast read; the receipts below are the technical view.
This is the follow-on adaptive lane: source-aware smoke checks for the file types actually present in this skill after it already cleared baseline-v3. Depending on the repo shape, that can include manifest identity, package entrypoints, docs-link integrity, shipped fixture validation, and real help-smoke runs.
ee3aba238d12f95e11d6284797d8763515ebd630580d2ef04c8564bf78f49125๐งญ skill structurestatus: passedpassedexit 0251 mstap for adaptive receipts
sh -lc test -s /source/SKILL.md && grep -Eq "^#{1,6} " /source/SKILL.md && echo skill-structure-okskill-structure-okโ๐ชช _meta.json shapestatus: passedpassedexit 0253 mstap for adaptive receipts
node -e const fs=require("fs"); const files=process.argv.slice(1); for (const file of files) { const meta=JSON.parse(fs.readFileSync(file, "utf8")); if (!meta || Array.isArray(meta) || typeof meta !== "object") throw new Error(`${file}: _meta.json must be an object`); if (typeof meta.owner !== "string" || !meta.owner) throw new Error(`${file}: owner missing`); if (typeof meta.slug !== "string" || !meta.slug) throw new Error(`${file}: slug missing`); if (!meta.latest || typeof meta.latest !== "object") throw new Error(`${file}: latest missing`); if (typeof meta.latest.version !== "string" || !meta.latest.version) throw new Error(`${file}: latest.version missing`); if (typeof meta.latest.publishedAt !== "number") throw new Error(`${file}: latest.publishedAt missing`); } console.log(`meta-json-shape-ok:${files.length}`); /source/_meta.jsonmeta-json-shape-ok:1โ๐งฌ _meta.json identitystatus: passedpassedexit 0257 mstap for adaptive receipts
node -e const fs=require("fs"); const expectedOwner=process.argv[1]; const expectedSlug=process.argv[2]; const files=process.argv.slice(3); for (const file of files) { const meta=JSON.parse(fs.readFileSync(file, "utf8")); if (meta.owner !== expectedOwner) throw new Error(`${file}: owner mismatch ${meta.owner} !== ${expectedOwner}`); if (meta.slug !== expectedSlug) throw new Error(`${file}: slug mismatch ${meta.slug} !== ${expectedSlug}`); if (meta.history && !Array.isArray(meta.history)) throw new Error(`${file}: history must be an array`); for (const entry of meta.history || []) { if (typeof entry.version !== "string" || !entry.version) throw new Error(`${file}: history.version missing`); if (typeof entry.publishedAt !== "number") throw new Error(`${file}: history.publishedAt missing`); } } console.log(`meta-json-identity-ok:${files.length}`); mrsirg97-rgb torchliquidationbot /source/_meta.jsonmeta-json-identity-ok:1โ๐งพ json parsestatus: passedpassedexit 0260 mstap for adaptive receipts
node -e const fs=require("fs"); const files=process.argv.slice(1); for (const file of files) JSON.parse(fs.readFileSync(file, "utf8")); console.log(`json-parse-ok:${files.length}`); /source/_meta.json /source/agent.json /source/lib/torchsdk/torch_market.jsonjson-parse-ok:3โ๐ข node syntaxstatus: passedpassedexit 0467 mstap for adaptive receipts
sh -lc for file do node --check "$file"; done && echo node-syntax-ok:$# functionality-node /source/lib/kit/config.js /source/lib/kit/index.js /source/lib/kit/types.js /source/lib/kit/utils.js /source/lib/torchsdk/constants.js /source/lib/torchsdk/ephemeral.js /source/lib/torchsdk/gateway.js /source/lib/torchsdk/index.js /source/lib/torchsdk/program.js /source/lib/torchsdk/quotes.js /source/lib/torchsdk/said.js /source/lib/torchsdk/tokens.js /source/lib/torchsdk/transactions.js /source/lib/torchsdk/types.jsnode-syntax-ok:14โ๐ docs link integritystatus: passedpassedexit 0309 mstap for adaptive receipts
python3 -c import pathlib, re, sys
root=pathlib.Path("/source").resolve()
pattern=re.compile(r"[[^]]+](([^)]+))")
missing=[]
checked=0
for file in [pathlib.Path(p) for p in sys.argv[1:]]:
try:
text=file.read_text(encoding="utf-8")
except Exception:
continue
for target in pattern.findall(text):
target=target.strip().strip("<>")
if not target or target.startswith(("http://","https://","mailto:","#")):
continue
target=target.split("#",1)[0].strip()
if not target:
continue
checked += 1
resolved=(file.parent / target).resolve()
try:
resolved.relative_to(root)
except ValueError:
missing.append(f"{file}: outside-source link -> {target}")
continue
if not resolved.exists():
missing.append(f"{file}: missing -> {target}")
if missing:
raise SystemExit("\n".join(missing[:20]))
print(f"docs-local-links-ok:{checked}") /source/audit.md /source/design.md /source/SKILL.md /source/verification.md /source/whitepaper.mdโโee3aba238d12f95e11d6284797d8763515ebd630580d2ef04c8564bf78f49125๐ฆ Source mountstatus: passedpassedexit 0257 mstap for the raw receipts
sh -lc find /source -maxdepth 2 -type f | sort | sed -n "1,12p" > /workspace/source-files.txt && wc -l /workspace/source-files.txt && cat /workspace/source-files.txtbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8c7d56a2f2228b91aba9bd2e1f6f629d8f690c63a6701d62d46295fd7754a5009e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
7 /workspace/source-files.txt /source/SKILL.md /source/_meta.json /source/agent.json /source/audit.md /source/design.md /source/verification.md /source/whitepaper.md
Observed stderr:
(empty)
Workspace artifacts:
- source-files.txt (136 B)
๐ Source write guardstatus: passedpassedexit 0249 mstap for the raw receipts
sh -lc touch /source/driftbot-write-test >/tmp/source-write.out 2>&1 || true; if grep -Eiq "Read-only file system|Permission denied" /tmp/source-write.out || [ ! -e /source/driftbot-write-test ]; then echo source-readonly; fibusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8a65af92097dc754e9cac4a455c5378d78b05e7927705ae45e1d20a24c4c1fd3ce3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
source-readonly
Observed stderr:
(empty)
Workspace artifacts:
No workspace artifacts produced.
๐ Workspace writestatus: passedpassedexit 0233 mstap for the raw receipts
sh -lc echo workspace-ok > /workspace/write-check.txt && grep -q "workspace-ok" /workspace/write-check.txt && echo workspace-write-okbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b881487f7df7b83c1d3fae9c36fb1009328fa34feca0f5c1581674de4cba29e6f5e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
workspace-write-ok
Observed stderr:
(empty)
Workspace artifacts:
- write-check.txt (13 B)
๐ Hostname network denialstatus: passedpassedexit 0242 mstap for the raw receipts
sh -lc wget -T 3 -qO- http://example.com >/tmp/http-host.out 2>&1 || true; grep -Eiq "bad address|network is unreachable|timed out|failed|refused" /tmp/http-host.out && echo network-host-blockedbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8aa4c95f392f2c19669ae67769237c23b54efb5f5e26a8ac8f11162ef28e7f141e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
network-host-blocked
Observed stderr:
(empty)
Workspace artifacts:
No workspace artifacts produced.
๐งฑ Raw-IP network denialstatus: passedpassedexit 0233 mstap for the raw receipts
sh -lc wget -T 3 -qO- http://1.1.1.1 >/tmp/http-ip.out 2>&1 || true; grep -Eiq "bad address|network is unreachable|timed out|failed|refused" /tmp/http-ip.out && echo network-ip-blockedbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8ee48345f6e97282a8b1f42753df3c9b37886403c60b09a044657b95126bae8b1e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
network-ip-blocked
Observed stderr:
(empty)
Workspace artifacts:
No workspace artifacts produced.
๐งช Fake-env handlingstatus: passedpassedexit 0226 mstap for the raw receipts
sh -lc env | grep -E "OPENAI_API_KEY|SLACK_BOT_TOKEN|GITHUB_TOKEN" | sed "s/=.*$/=REDACTED/"busybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8d714e2d3c2043f53d26d2deebac9b26a17f96f8d20158469b586bb598bc80c57e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
GITHUB_TOKEN=REDACTED SLACK_BOT_TOKEN=REDACTED OPENAI_API_KEY=REDACTED
Observed stderr:
(empty)
Workspace artifacts:
No workspace artifacts produced.
๐๏ธ Secret-path isolationstatus: passedpassedexit 0219 mstap for the raw receipts
sh -lc test ! -e /root/.ssh && test ! -e /home/claw1/.ssh && test ! -e /workspace/.ssh && echo no-host-secretsbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8e95cf953e01cafd431be70f0f5539c4c0ae8961ef5cff96d968a29509597c797e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
no-host-secrets
Observed stderr:
(empty)
Workspace artifacts:
No workspace artifacts produced.
๐ณ Docker socket denialstatus: passedpassedexit 0241 mstap for the raw receipts
sh -lc test ! -S /var/run/docker.sock && echo no-docker-socketbusybox@sha256:b9598f8c98e24d0ad42c1742c32516772c3aa2151011ebaf639089bd18c605b8702d41c3742c72aff24f584ad0138f2df38b424090d03d3b3e85e3212f0df2efe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Observed stdout:
no-docker-socket
Observed stderr:
(empty)
Workspace artifacts:
No workspace artifacts produced.
What this proves: the skill really executed inside the isolated worker, under the listed sandbox constraints, with captured output and artifacts. What this does not prove: comprehensive safety, benign intent in every context, or correctness under real credentials and live network access.
Publisher and provenance
Listed in the VoltAgent awesome-openclaw-skills catalog under Devops And Cloud and lightly source-scanned from openclaw/skills. This is stronger evidence than catalog metadata alone, but still not a full runtime audit.
Source type: awesome-index
Source path: https://github.com/openclaw/skills/tree/main/skills/mrsirg97-rgb/torchliquidationbot/SKILL.md
Source URL: https://github.com/openclaw/skills/tree/main/skills/mrsirg97-rgb/torchliquidationbot/SKILL.md
Discovery category: Devops And Cloud
Manual review
No human review yet. The scorecard is currently static-analysis-first.
Community signals
Community signals
These are community attention markers, not crowd-sourced truth. Click what feels especially worth flagging or reviewing.
Related skills
kefir-batch-manager
Comprehensive kรฉfir batch management system with cycle tracking, intelligent reminders, grain health monitoring, and recipe management. Use when managing kรฉfir fermentation cycles, tracking grain health, calculating ratios, scheduling reminders, or maintaining fermentation records.
echo-agent
EchoAgent is a minimal OpenClaw-compatible skill.
japanese-tutor
Interactive Japanese learning assistant. Supports vocabulary, grammar, quizzes, roleplay, PDF/DOCX material parsing for study/homework help, and OCR translation.