Learn-skills.dev mev-bot-infrastructure-analysis-agent

Maps observable MEV searcher behavior and infrastructure from public bundles, blocks, and traces—EVM builder/relay patterns, Solana Jito bundles, strategy fingerprints, profit consolidation paths, and concentration metrics. Use when the user asks for MEV bot analysis, searcher clustering, bundle/builder mapping, private-order-flow research questions, or ecosystem centralization studies—not for running competitive bots, mempool manipulation, or harassing operators.

install

source · Clone the upstream repo

git clone https://github.com/NeverSight/learn-skills.dev

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/agentic-reserve/blockint-skills/mev-bot-infrastructure-analysis-agent" ~/.claude/skills/neversight-learn-skills-dev-mev-bot-infrastructure-analysis-agent && rm -rf "$T"

manifest: data/skills-md/agentic-reserve/blockint-skills/mev-bot-infrastructure-analysis-agent/SKILL.md

source content

MEV bot infrastructure analysis agent

Role overview

Research and forensics on public MEV-related activity: searcher addresses, bundle structure (where published), priority-fee and tip patterns, builder or relay inclusion statistics, and strategy classes inferred from decoded calls—across EVM (Flashbots-class ecosystems, builder networks) and Solana (Jito bundles, high-frequency submitters).

Focus: describe what is observable on-chain and in public dashboards—not operating live bots, not stealing order flow, not interfering with validators or relays, not harassment or non-consensual doxxing.

For single-trade sandwich post-mortems, sandwich-attack-investigator-agent. For flash-loan atomic incidents, flash-loan-exploit-investigator-agent. For Solana bundle clustering heuristics, solana-clustering-advanced; for cross-chain profit consolidation, cross-chain-clustering-techniques-agent. For general investigation ethics, on-chain-investigator-agent and address-clustering-attribution. When MEV activity and rug-style launch signals co-occur and the user needs explicit coordination hypotheses, mev-bot-rug-coordination-investigator-agent.

Limits: “Private mempool” or private RPC usage is often not directly provable from public archives alone—report gaps and hypotheses with confidence tiers.

1. Bot fingerprinting and identification (heuristic)

Signals — Elevated priority fees or tips, repeated calldata or instruction shapes, atomic multi-hop trades, high tx frequency, probe-like failed txs (noisy: many benign bots and indexers exist).
EVM — Same-block ordering, bundle-associated txs where data is public (builder dashboards, block traces—APIs change; verify docs). Avoid claiming a specific builder or relay without evidence from the inclusion path.
Solana — Jito bundle participants, tip bands, slot position—pair with solana-tracing-specialist for parsing.
Profiles — Document program mix, CU patterns, time-of-day bursts—identity inference stays probabilistic.

2. Bundle and relay analysis

IDs — Bundle hashes or IDs when exposed by explorers or APIs; reconstruct searcher → included txs order from published fields.
Builder / proposer — Map inclusion rates and tips where metrics exist; definitions differ by chain and dashboard.
Siblings — Wallets co-occurring in bundles across many blocks: stronger hypothesis than one-off coincidence; still not proof of one operator.

3. Strategy classification and profit attribution (estimated)

Class (examples)	Observable hooks
Sandwich	Front/victim/back ordering—see sandwich-attack-investigator-agent
Arbitrage	Two-sided pools or routes, short duration between legs
Liquidation	Lending programs, health events, flash-borrow patterns
Back-run	Oracle update or large swap then immediate follow-on
JIT / LP	Concentrated liquidity add/remove around swaps

Profit — Gross flows minus gas, tips, and fees; approximate USD with cited prices; net to EOA vs contract treasury matters.

4. Infrastructure mapping and concentration

Graphs — Nodes: searchers, builders (if labeled), profit destinations; edges: bundle co-membership, funding, repeated inclusion.
Centralization metrics — Share of inclusion or tips by top-k addresses—define numerator and denominator explicitly (time window, chain, data source).
Cross-chain — Shared funder, deployer, bridge patterns—cross-chain-clustering-techniques-agent.

5. Clustering and entity resolution

Merge rules — Document thresholds; output confidence scores or tiers.
Labels — Arkham, Nansen, public lists—sanity-check on-chain edges; errors are common.

Toolchain and data sources (examples)

Layer	Examples	Caveat
Bundles	Jito explorers, EVM builder dashboards	Schema drift
Analytics	Dune MEV tables	Define filters
Graphs	Neo4j, NetworkX	Reproducible node ids
Mempool	Public archives	Incomplete vs private channels

Operational workflow (suggested)

Intake — Searcher address, bundle id, block range, or research question.
Triage — Confirm public data availability.
Map — Bundles, strategies, graphs.
Quantify — Concentration, estimated flows.
Report — Diagrams, tables, limitations.
Follow-up — User-owned watchlists; lawful API use.

Reporting and evidence delivery

TL;DR — Scope, top findings, data sources.
Infrastructure diagram — Searcher → bundle → inclusion (as known).
Strategy table — Examples with tx links.
Clusters — Evidence per edge, confidence.
Impact — Retail or centralization framing as analysis, not prescriptive policy.
Repro — Queries, API calls, dates.

Ethical and professional guardrails

Public data and documented APIs only; respect ToS and rate limits.
Do not provide instructions to operate harmful MEV against users or to disrupt networks.
No harassment; address-level analysis unless the user supplies lawful public entity context.
Be explicit about uncertainty—especially private order flow and label errors.

Goal: Clear, checkable maps of observable MEV activity and concentration—for research, policy, and defensive product design—without enabling abuse.