ClawHub

bnbchain

vv1.0.2

Interact with the BNB Chain Model Context Protocol (MCP) server. Blocks, contracts, tokens, NFTs, wallet, Greenfield, and ERC-8004 agent tools. Use npx @bnb-...

0· 395·1 current·1 all-time
by@0xlucasliao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (BNB Chain MCP) match the runtime instructions: the SKILL.md documents read-only queries and state-changing actions on BNB/EVM networks. No unrelated credentials or unrelated binaries are requested. Requiring a private key for state-changing actions is expected for this class of skill.
Instruction Scope
Instructions stay within the MCP domain: how to run the MCP client via npx, which tools are read-only vs state-changing, and when PRIVATE_KEY is needed. The doc repeatedly warns not to paste keys and to use testnet. It also claims the server "does not store or log" PRIVATE_KEY — that's a developer claim you should verify by auditing the package source before supplying a key.
Install Mechanism
There is no registry install spec in the skill bundle; the SKILL.md tells users to run npx @bnb-chain/mcp@latest which pulls the package from npm at runtime. Fetching and executing code at runtime is a moderate risk — acceptable for developer tooling but you should audit the npm package (or install locally) before running, and consider pinning to a specific version.
Credentials
No environment variables are required for read-only use. PRIVATE_KEY is documented as optional and only necessary for state-changing operations — this is proportional. The skill does not request unrelated secrets or multiple unrelated credentials. Users must take care to provide keys only in secure, controlled envs and preferably use testnet wallets for trials.
Persistence & Privilege
Skill does not request persistent privileges: always:false, no install spec, and no files included. It does not attempt to modify other skills or system-wide configs. Runtime use of npx will create local npm cache artifacts as normal but the skill itself requests no persistent platform privileges.
Assessment
This skill appears to do what it says, but exercise standard caution: 1) Audit the npm package (https://github.com/bnb-chain/bnbchain-mcp) or install it locally rather than blindly running npx @bnb-chain/mcp@latest; runtime package fetches can run arbitrary code. 2) For any state-changing operation you will need to provide a PRIVATE_KEY — never paste or upload your mainnet private key to an environment you don't control. Prefer a testnet or ephemeral wallet and confirm the network before signing transactions. 3) Consider pinning a specific package version and reviewing the source for any unexpected logging/transmission of secrets. 4) When in doubt, run the MCP server in a sandboxed environment and inspect network activity and logs before using real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fr0efypn5f61w6sv5ppznn8269sd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments