Uniswap V4

Swap tokens and read pool state on Uniswap V4 (Base, Ethereum). Use when the agent needs to: (1) swap ERC20 tokens or ETH via Uniswap V4, (2) get pool info (price, tick, liquidity, fees), (3) find the best pool for a token pair, (4) quote expected swap output via the on-chain V4Quoter, (5) set up Permit2 approvals for the Universal Router, or (6) execute exact-input swaps with proper slippage protection. Supports Base and Ethereum mainnet, plus Base Sepolia testnet. TypeScript with strict types. Write operations need a private key via env var.

This repo appears to implement the advertised Uniswap V4 functionality and only needs a PRIVATE_KEY for transactions, but review and a few precautions are necessary before using with real funds: - Prefer the TypeScript entrypoints (npx tsx src/pool-info.ts, src/quote.ts, src/approve.ts, src/swap.ts) rather than the included shell wrappers. The SKILL.md emphasizes TypeScript usage; many shell scripts are legacy/auxiliary and rely on external tools. - Inspect src/approve.ts and src/swap.ts to confirm they do not pass PRIVATE_KEY on the command line to external processes. If you must use the shell scripts, note they call 'cast' with --private-key "$PRIVATE_KEY" which can expose the key via process listings; avoid running those scripts with real keys. - Use a secure signer when possible (hardware wallet, remote signer, or ephemeral key) rather than a long-lived raw private key in your shell environment. - Supply your own trusted RPC endpoint (Alchemy/Alchemy-like) rather than public endpoints for sensitive operations; the repo notes public defaults but recommends paid providers for important work. - If you plan to install into an automated agent, run the repository's security scan (node scripts/security-scan.mjs) and run unit/integration tests in a safe environment first. Confirm which script the agent will invoke (TypeScript vs. shell) and ensure the agent runtime has only the minimal required binaries. If you want, I can: (1) inspect src/swap.ts and src/approve.ts specifically and report whether they risk leaking PRIVATE_KEY, or (2) produce a short checklist to safely run swaps (minimize key exposure, RPC selection, dry-run steps).

Type: OpenClaw Skill Name: uniswap-v4 Version: 2.0.4 The skill bundle demonstrates a strong commitment to security, explicitly addressing numerous vulnerabilities (PT-001, PT-002, PT-003, C-01, C-02, C-03, C-04, H-01, M-01, M-04, M-05) as detailed in `CHANGELOG.md` and `README.md`. The TypeScript code uses `ethers.js` for secure blockchain interactions, `BigInt` for arbitrary-precision arithmetic, and strict input validation via regex to prevent injection and overflow. Private keys are strictly enforced via environment variables, with explicit rejection of CLI arguments to prevent exposure (e.g., `src/lib/cli.ts`, `src/lib/validation.ts`, `scripts/approve.sh`, `scripts/swap.sh`). A dedicated `scripts/security-scan.mjs` checks for `eval`/`exec` and hardcoded secrets, and a comprehensive test suite (including `tests/unit/no-secret-leak.test.ts` and injection tests in `tests/smoke.sh`) verifies these security controls. No evidence of intentional harmful behavior, data exfiltration, or unauthorized actions was found; all operations align with the stated purpose of Uniswap V4 token swaps and pool state reads.