ClawHub

Rhaios Staging

v0.1.4

Interact with the Rhaios staging REST API for yield operations. Discover -> prepare -> setup-if-needed -> sign -> execute flow with pluggable signer backend....

0· 222·0 current·0 all-time
byJoão@0xtimepunk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match implementation: the code calls the hardcoded staging API endpoints, implements prepare/setup/execute flows, and integrates with Privy or a local private key for signing. Required packages (viem, @privy-io/node) and declared envs align with that purpose.
Instruction Scope
SKILL.md and scripts restrict behavior to staging API calls, preflight checks, signing, and optional broadcast via RPC. Instructions only reference the declared env vars (Privy creds or private key) and stdin payloads; they do not attempt to read unrelated system files or send data to unexpected endpoints.
Install Mechanism
Install is a normal Node package (@rhaios/toolkit) with dependencies from npm (viem, @privy-io/node, tsx). No arbitrary URL downloads or extract-from-unknown-host steps were used. This is a moderate-trust but expected mechanism for a JS toolkit.
Credentials
Environment variables are proportional to functionality: PRIVY_* vars are needed only for the Privy signer backend; SIGNER_PRIVATE_KEY is required only if the private-key backend is chosen. The declared primaryEnv (PRIVY_WALLET_ADDRESS) is reasonable. Secrets are used for signing only and are not sent to unexpected third parties in the code paths shown.
Persistence & Privilege
The skill does not request permanent/global inclusion (always is false), does not modify other skills or system-wide agent configs, and limits its actions to its own runtime behavior.
Assessment
This skill appears to do exactly what it says: interact with the Rhaios staging API and sign transactions using Privy or a local private key. Before installing, confirm you want code to run that can sign and (when not in dryRun) broadcast transactions. Do not paste your private key or Privy master secrets into chat — keep them in your environment or secret manager. If you plan to use Privy, ensure PRIVY_APP_ID/PRIVY_APP_SECRET come from a trusted Privy skill/provider and that PRIVY_WALLET_ID is ownerless as required. Because this runs against a staging URL, prefer running in a controlled/test environment and review the code if you need higher assurance.
src/preflight.ts:32
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhjfrgpyznhwgdt9062ydq182y9qc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Primary envPRIVY_WALLET_ADDRESS
Environment variables
SIGNER_BACKENDoptionalprivy or private-key. Defaults to privy.
SIGNER_PRIVATE_KEYoptionalRequired only when SIGNER_BACKEND=private-key. 0x-prefixed 32-byte hex.
PRIVY_APP_IDoptionalProvided by Privy skill. Required when SIGNER_BACKEND=privy.
PRIVY_APP_SECREToptionalProvided by Privy skill. Required when SIGNER_BACKEND=privy.
PRIVY_WALLET_IDoptionalRequired when SIGNER_BACKEND=privy. Must be ownerless.
PRIVY_WALLET_ADDRESSoptionalRequired when SIGNER_BACKEND=privy. 0x-prefixed address.

Install

Nodenpm i -g @rhaios/toolkit

Comments