Blockscout for Web3 Dev
PassAudited by VirusTotal on May 1, 2026.
Overview
Type: OpenClaw Skill Name: web3-dev Version: 0.1.0 The skill bundle provides instructions and references for integrating the Blockscout PRO API into Web3 applications. It demonstrates strong security awareness by explicitly instructing the AI agent to avoid requesting API keys in conversation transcripts and instead directing users toward secure practices like environment variables or gitignored .env files. The logic is entirely consistent with its stated purpose of blockchain data retrieval, and the included endpoint index (references/pro-api-index.md) contains standard explorer functionality without any evidence of malicious intent or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may refuse to continue or steer away from non-Blockscout options until a PRO API key is configured.
The skill can be invoked for broad web3 requests and then changes the agent's stopping conditions when no Blockscout key is available.
Trigger on broader phrasing like "build a web3 app" ... If no key is found anywhere, stop ... must not ... write or sketch code ... propose alternative data sources
Use this skill when you specifically want Blockscout PRO API help; for generic web3 development or alternative data sources, ask the agent not to invoke this skill.
Exploratory calls may send queried addresses or parameters to Blockscout and may consume API quota or paid usage.
The skill explicitly expects the agent to make live authenticated provider calls during planning/debugging, not only in final user code.
the agent needs the key for its own research and debug calls ... Probing an endpoint to confirm its real response shape, validating a parameter combination by trying it
Use a scoped/test API key where possible, monitor usage, and ask the agent to confirm before high-volume or sensitive queries.
The agent may access and use an API key tied to your Blockscout account, which could expose account usage and consume quota.
The skill directs the agent to access sensitive credential locations to find a Blockscout PRO API key.
Look for a key in the agent's environment ... A project-local secrets file ... A key the user previously placed in the agent's stored memory or persistent profile
Store only the intended Blockscout key in a scoped environment variable or gitignored project secret, avoid pasting keys into chat, and rotate the key if exposed.
A saved API key could persist beyond the current task and be reused later if the user confirms.
The skill allows cross-session reuse of saved credentials, while also requiring confirmation and masking.
Confirm before reusing a key from stored memory or a prior session ... Never echo the full key value back
Review what secrets are saved in the agent profile, remove stale keys, and confirm reuse only when the current task should use that Blockscout account.