ClawHub

BNB Chain NFT

v0.1.0

NFT operations on BNB Chain — get NFT metadata, check ownership, list NFTs by owner, transfer ERC-721 tokens, get collection info. Use for any NFT-related tasks on BSC.

1· 1.5k·0 current·0 all-time
by@clawzai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the included code: nft.js implements ERC-721 read/write operations on BNB Chain. The package.json and package-lock.json list ethers as the only dependency, which is appropriate for the stated purpose.
Instruction Scope
SKILL.md accurately documents commands and notes the need for a private key for write operations. However the skill's manifest declared no required env vars/binaries while the runtime instructions expect Node.js/npm and optionally BNB_PRIVATE_KEY and BNB_RPC_URL. SKILL.md also instructs running npm install ethers (network access) and fetching tokenURI HTTP URLs when present (fetches arbitrary metadata endpoints).
Install Mechanism
There is no automated install spec in the registry; installation is instruction-only (npm install). This pulls packages from the public npm registry (ethers and its dependencies) which is common for Node skills but is a moderate-risk action compared with instruction-only skills that require no package downloads.
Credentials
The only sensitive secret referenced is BNB_PRIVATE_KEY (used only for transfer/approve/setApprovalForAll operations) and an optional BNB_RPC_URL. These are proportionate to on-chain write operations. The manifest did not declare BNB_PRIVATE_KEY as a required env var, so the discrepancy should be noted before use.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It is instruction-only and runs as a CLI script (no automatic background installation or modification of other skills).
Assessment
This skill appears to do what it claims—interact with ERC‑721 contracts on BNB Chain—but take these precautions before installing or running it: - The registry metadata omits runtime requirements: you need Node.js/npm to run nft.js and the SKILL.md asks you to run npm install. Don't run npm install in a sensitive environment without review. - The SKILL.md mentions BNB_PRIVATE_KEY for write actions; the manifest didn't declare this env var. Only provide a private key if you trust the code and understand the risk. Prefer using a testnet key or an ephemeral wallet for testing. - The script fetches tokenURI URLs (arbitrary HTTP(S) endpoints). Metadata fetches will contact third-party servers and the responses are printed to stdout — avoid sending logs/outputs to untrusted endpoints if you care about privacy. - Verify BNB_RPC_URL (default is public Binance RPC). Consider using a trusted RPC provider or your own node to avoid MITM or rate-limiting issues. - Review nft.js yourself (or have someone else review) before giving it access to any real private key. If you only need read-only info, avoid supplying a private key or run the read commands only. If you want higher assurance, ask the skill author to declare required env vars (BNB_PRIVATE_KEY optional, BNB_RPC_URL optional) and required binaries (node/npm) in the registry metadata and to provide reproducible release/source provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743sqsjs661mrw78m4w751xn80bt7a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments