ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Abstract Toolkit

v1.0.0

Deploy smart contracts and bridge assets to Abstract (ZK Stack L2). Use when an agent needs to deploy contracts on Abstract, bridge ETH/tokens to Abstract, trade/swap tokens, check balances, transfer assets, or interact with Abstract mainnet. Covers zksolc compilation, Hardhat deployment, Relay bridging, DEX trading, and key contract addresses.

2· 1.3k·0 current·0 all-time
by@masoncags-tech·duplicate of @masoncags-tech/abstract-onboard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the included scripts: deployment, bridging, token transfer, swaps, AGW creation. The requested runtime behavior (signing transactions, calling RPCs, sending funds) is coherent with a blockchain toolkit. However the registry metadata declares no required env vars/credentials while the SKILL.md and scripts clearly require WALLET_PRIVATE_KEY (and optionally DEX_ROUTER), so the declared requirements do not match what the skill actually needs.
Instruction Scope
SKILL.md and scripts are explicit about actions to take: reading ABI/artifact files, using WALLET_PRIVATE_KEY to sign transactions, calling RPC endpoints, sending transactions to relay depositor and DEX router addresses. All file and network accesses are within the expected domain for on-chain operations (no unrelated filesystem or system-wide config reads).
Install Mechanism
This is instruction-only (no install spec) but includes multiple Node scripts that rely on npm packages (ethers, zksync-ethers, @abstract-foundation/agw-client, viem, Hardhat plugin). The SKILL.md lists the npm dependencies but does not provide an automated install step; users must run npm install themselves. No high-risk URL downloads or extract/install actions are present in the skill bundle.
!
Credentials
The scripts require WALLET_PRIVATE_KEY (sensitive) for any write/transfer/deploy operations and DEX_ROUTER is required for swaps, but the skill metadata declares no required environment variables or primary credential. Asking for a private key is legitimate for this functionality, but the omission from declared requirements and lack of guidance on secure handling increases the risk of accidental misuse or exposure.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs as invoked and relies on environment variables at runtime; autonomous invocation is allowed by default but not excessive here given the purpose.
What to consider before installing
Before installing or running this skill: - Treat WALLET_PRIVATE_KEY as highly sensitive. Do not set your main wallet private key in an environment variable for untrusted code. Prefer a throwaway/test account or hardware-wallet-backed signing. - The skill metadata does not declare required env vars (WALLET_PRIVATE_KEY, DEX_ROUTER). That mismatch is a red flag — expect to supply these to run write operations. - Inspect and, if necessary, pin the npm dependencies locally (ethers, zksync-ethers, @abstract-foundation/agw-client, viem, hardhat plugin). Run npm install in a controlled environment and review package versions. - Test all flows on Abstract testnet (chain ID 11124, test RPC) before using mainnet and bridge only small amounts first. - Verify critical addresses (Relay depositor, DEX router) independently from Abstract docs; the scripts will send on-chain funds to those addresses. - If you lack experience handling private keys securely, do not run the write operations; consider using a read-only mode (balance checks, non-write contract calls) or seek assistance. If you want higher assurance, ask the publisher for declared required env vars and an install script, or request the skill be updated so the registry metadata matches the actual runtime requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fpmdm4174exfvhbpx5e7a0580jmn6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments