Back to skill
Skillv0.2.0
ClawScan security
superrare-deploy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 3:07 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment (cast, jq, curl, and a BANKR_API_KEY) are consistent with its stated purpose of submitting SuperRare sovereign deployments via the Bankr API; nothing indicates hidden or unrelated behavior.
- Guidance
- This skill appears to do exactly what it says: prepare calldata and submit SuperRare factory deploy transactions via Bankr. Before installing or running it, (1) verify you trust the Bankr API endpoint you will use (default https://api.bankr.bot) and ensure your BANKR_API_KEY has appropriate, minimal scopes, (2) review and, if needed, confirm the factory addresses and RPC defaults in scripts/config.example.json to ensure they point to the official RARE factory and desired networks, and (3) remember that broadcasting will create an onchain transaction (gas cost) under credentials you provide—test using dry-run or a testnet first. If you are uncomfortable granting an API key that can submit on-chain transactions, do not provide BANKR_API_KEY.
Review Dimensions
- Purpose & Capability
- okName/description match the code and SKILL.md. Required binaries (cast, jq, curl) and the BANKR_API_KEY credential are appropriate for building calldata, talking to RPCs, and calling the Bankr signing/submission API. The scripts operate on factory calldata and receipts as expected.
- Instruction Scope
- okSKILL.md and the scripts' runtime instructions confine actions to building transaction calldata, optionally broadcasting via Bankr, polling an RPC for receipts, and writing local receipt JSON files. Credential lookup (env, systemctl user env, and Bankr config files) is explicit in the docs and mirrored in the code. The scripts do not access unrelated system files or exfiltrate data to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only with included shell scripts). That minimizes install-time risk; the script files are plain shell and use only standard tools (cast/jq/curl).
- Credentials
- okOnly BANKR_API_KEY is required as a secret; other environment variables are optional RPC overrides or behavior toggles. The code searches a few sensible config paths for convenience (~/.openclaw/... and ~/.bankr/config.json), which is reasonable for resolving the Bankr key/API URL.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system-wide settings. It writes receipts into a local receipts/ directory inside the skill and does not persist beyond that.