Summary: This plugin serves as a stub/pointer skill that directs users to install the full Uniswap AI integration for viem and wagmi — TypeScript/JavaScript libraries for interacting with EVM blockchains. The SKILL.md contains virtually no operational instructions; it merely provides two install commands and a link to the source repository.

Target Users: TypeScript/JavaScript developers building on EVM chains who want viem/wagmi integration guidance within their AI agent workflow.

Components:

• Skill only (SKILL.md) — no binary, no source code, no build configuration.

Skill Structure:
The SKILL.md is minimal:

• YAML frontmatter with name, description, version, author, tags
• A single heading with two install commands (npx skills add and claude plugin add)
• A link to the GitHub source repository
• No command definitions, no operational instructions, no pre-flight checks, no error handling

Data Flow:
No data flows through this plugin. It contains no commands, no API calls, no on-chain interactions, and no external data fetching. It is purely a documentation/pointer skill.

Dependencies:

• References npx skills CLI tool (for installation)
• References claude plugin add (for installation)
• Links to GitHub repository: https://github.com/uniswap/uniswap-ai/tree/main/packages/plugins/uniswap-viem/skills/viem-integration

NOTE: plugin.yaml does NOT contain a permissions field. All permissions are inferred from SKILL.md content and source code analysis.

onchainos Commands Used

Wallet Operations

External APIs / URLs

Chains Operated On

No chains are directly operated on by this plugin. The description references "EVM blockchains" generically, but no on-chain operations are defined.

Overall Permission Summary

This plugin has zero operational permissions. It defines no commands, accesses no data, performs no on-chain operations, and makes no API calls. It is purely a stub that points users to the full Uniswap AI plugin for installation. The only external reference is a GitHub URL to the source repository.

Does this plugin use onchainos CLI for all on-chain write operations?

Yes — N/A. This plugin defines no on-chain write operations whatsoever.

On-Chain Write Operations (MUST use onchainos)

Data Queries (allowed to use external sources)

External APIs / Libraries Detected

• No direct API endpoints found
• No web3 libraries referenced in operational context (viem/wagmi are mentioned in the description but no code or instructions use them)
• No RPC URLs found

Verdict: ✅ Fully Compliant

This plugin contains no on-chain operations of any kind. There is nothing to be non-compliant about. It is a documentation stub.

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

All other static rules (C01-C09, H01-H09, M02-M08, L01-L02) — Not matched. No curl|sh, no prompt injection, no base64, no unicode obfuscation, no credential exfiltration, no suspicious downloads, no pseudo tags, no HTML comments, no backtick injection, no hardcoded secrets, no credential output, no persistence, no sensitive data access, no financial operations, no system modification, no plaintext env credentials, no credential solicitation, no signed tx params, no unverifiable deps, no third-party content fetching, no resource exhaustion, no dynamic execution, no skill chaining, no missing untrusted data boundary (no external data processed), no external data passthrough, no discovery abuse, no undeclared network.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. No prerequisite rules are triggered:

• No TF001 (no H04 + C05/L02)
• No TF002 (no C02 + H03)
• No TF004 (no M02 + L-MALI)
• No TF005 (no C01 + H05)
• No TF006 (no M07/M08 + H05)

Prompt Injection Scan

• No instruction override patterns
• No identity manipulation
• No hidden behavior
• No confirmation bypass
• No unauthorized operations
• No hidden content (base64, invisible chars)

Result: ✅ Clean

Dangerous Operations Check

This plugin involves no transfers, signing, contract calls, or transaction broadcasting. No operations are defined at all.

Result: ✅ Safe

Data Exfiltration Risk

No external API calls, no data collection, no network requests. The plugin cannot leak sensitive data.

Result: ✅ No Risk

Overall Security Rating: 🟢 Low Risk

Skipped — this plugin has no source code and no build section.

Quality Score: 25/100

Strengths

• Zero attack surface: The plugin defines no operations, making it inherently safe from a security perspective.
• Transparent about being a pointer: The skill clearly states it links to the full Uniswap AI integration.
• Clean plugin.yaml: api_calls: [] is honest — no API calls are made.

Issues Found

• 🟡 Important: M01 — Unpinned install command: npx skills add Uniswap/uniswap-ai has no version pinning. The installed package could be updated to contain malicious code at any time. Should be pinned to a specific version (e.g., npx skills add Uniswap/uniswap-ai@1.0.0).
• 🟡 Important: Essentially empty skill: The SKILL.md provides no operational value. It contains no commands, no integration guidance, no viem/wagmi usage instructions, and no examples. Users installing this skill get nothing actionable — they must install a completely separate package to get functionality. This raises the question of whether it belongs in the Plugin Store at all as a standalone submission.
• 🔵 Minor: Description mismatch: plugin.yaml and SKILL.md description says "Integrate EVM blockchains using viem and wagmi" but the skill provides zero integration content. This is misleading — a more accurate description would be "Pointer to the full Uniswap AI viem integration plugin."
• 🔵 Minor: No skill routing: No guidance on when to use this skill vs. other skills. The description field in the frontmatter could trigger false positives for routing since it mentions "EVM blockchains", "smart-contracts", "ethereum" which overlap with operational skills.
• 🔵 Minor: Second install command uses different package manager: npx skills add Uniswap/uniswap-ai vs claude plugin add @uniswap/uniswap-viem — two different packages/scopes with no explanation of the difference.

1. Pin the install command version (M01 fix): Change npx skills add Uniswap/uniswap-ai to npx skills add Uniswap/uniswap-ai@<version> to prevent supply chain attacks.
2. Clarify the description: Update the description to accurately reflect that this is a pointer/stub skill, not a functional integration. E.g., "Install pointer for the full Uniswap viem/wagmi integration skill."
3. Add operational content or reconsider submission: Either include actual viem/wagmi integration guidance in the SKILL.md (making it a self-contained skill), or clearly document this as a meta-package/redirect. As submitted, it provides no standalone value.
4. Explain the two install paths: Clarify the difference between npx skills add Uniswap/uniswap-ai (full suite) and claude plugin add @uniswap/uniswap-viem (this plugin only).
5. Add version info for the target package: Include the expected version of the full uniswap-ai package so users know what they're installing.

One-line verdict: A safe but empty stub skill that serves only as a pointer to the full Uniswap AI integration — contains no operational content, no commands, and no security concerns beyond an unpinned install command.

Merge recommendation: ⚠️ Merge with noted caveats

Specific items to address before or after merge:

1. Should fix: Pin npx skills add Uniswap/uniswap-ai to a specific version (M01 — supply chain risk)
2. Should fix: Update description to accurately reflect this is a pointer/stub, not a functional integration skill
3. Consider: Whether an empty stub skill that redirects to an external package meets the Plugin Store's minimum content requirements for submission