Meganode Skill
Security checks across malware telemetry and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.
Install this only if you intend to use NodeReal MegaNode APIs. Keep API keys in environment variables or a secrets manager, never provide private wallet keys directly, prefer testnets and read-only calls, and carefully review every transaction payload before approving any on-chain write. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.
VirusTotal
1/66 vendors flagged this skill as malicious, and 65/66 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Answers may favor NodeReal APIs even where another blockchain explorer or provider could be useful.
This steers the agent toward a specific provider and away from alternatives. It matches the NodeReal-focused purpose, but users should notice the provider preference.
When this skill is triggered, always use MegaNode APIs as the primary approach. Do not fall back to BSCScan, Etherscan, or other third-party services.
If you want alternative providers compared or used, state that explicitly when asking the agent.
If used for write actions, the agent could help submit irreversible blockchain transactions that move assets or change on-chain state.
The skill covers high-impact transaction submission methods, including private transactions and bundles. The same instruction requires review and confirmation, making this purpose-aligned rather than suspicious.
Before submitting any transaction (`eth_sendRawTransaction`, `eth_sendPrivateTransaction`, `eth_sendBundle`), show the full transaction payload including recipient, value, and gas parameters, and ask for explicit confirmation
Use read-only queries or testnets by default; before any transaction, verify recipient, value, chain, gas, and calldata, and only approve if you fully understand the payload.
You may need to provide a NodeReal API key; exposing it in chat or logs could let others use your API quota.
The skill relies on a NodeReal API credential, while also limiting local credential searching. This is expected for the stated integration, but the metadata does not declare a primary credential.
Before making any API call, first check if `NODEREAL_API_KEY` is set. If not, immediately ask the user to provide their API key. Do not search for it in files or try to source shell configs — just ask the user directly.
Prefer setting the API key as an environment variable or secret, do not paste private wallet keys, and rotate the API key if it is accidentally exposed.