Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Solidity LSP
v1.0.0Solidity language server providing smart contract development support including compilation, linting, security analysis, and code intelligence for .sol files. Use when working with Ethereum smart contracts, Substrate pallets, or any Solidity code that needs compilation, security checks, gas optimization, or code navigation. Essential for ClawChain pallet development.
⭐ 0· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is named and described as a 'Solidity LSP' (language server / code intelligence) but the SKILL.md only contains instructions for installing and running CLI tools (solcjs, solhint, slither) and framework docs. There is no LSP implementation, no server integration, and nothing that provides language-server protocol hooks. It also claims to be 'essential for ClawChain pallet development' even though ClawChain sections discuss ink! (Rust) — the scope and claims do not align.
Instruction Scope
The runtime instructions are limited to installing and running compilers, linters, and analyzers — they do not instruct the agent to read arbitrary host files or exfiltrate data. However the references/frameworks.md includes example Hardhat config that uses SEPOLIA_URL and PRIVATE_KEY environment variables for deployments, which could lead users to place sensitive keys in env vars. The instructions also suggest running networked installers and security tools (slither) that may require additional privileges.
Install Mechanism
This is an instruction-only skill (no install spec), but it recommends installing Foundry via a curl | bash bootstrap (curl -L https://foundry.paradigm.xyz | bash). That pattern downloads and executes a remote script and is higher-risk than using a reviewed package manager. It also recommends global npm installs and pip installs; these are normal but can alter the system and should be run deliberately.
Credentials
The skill declares no required env vars or credentials (good), but the included framework examples show using SEPOLIA_URL and PRIVATE_KEY in hardhat config. The skill doesn't itself require those creds, but its docs encourage patterns (env-stored private keys) that are sensitive. No unexpected external API keys or unrelated credentials are requested by the skill.
Persistence & Privilege
The skill is instruction-only, has no install-time persistence, and does not request always:true or elevated platform privileges. It will not be force-included or modify other skill configs.
What to consider before installing
This skill is not malicious but is inconsistent and has a few risky recommendations. Before installing or following the instructions: (1) Note the mismatch — the skill advertises an LSP but contains only CLI instructions; if you need an LSP, install/verify a real Solidity language-server package. (2) Avoid running curl | bash blindly (Foundry installer); fetch the script separately and inspect it, or use the official package manager instructions. (3) Never place private keys in plain environment variables on a shared machine; use a hardware wallet, temporary keys, or an isolated environment for deployments. (4) Prefer installing solc/solhint/slither from official, versioned sources and run them in a sandbox or container if you are unsure. (5) Because the skill is instruction-only, the agent will not automatically access your files or keys — but if you tell the agent to run these commands, those commands will run with your user privileges. If you want this skill for IDE LSP features, request or look for a skill that actually installs/configures a language-server (LSP) implementation and cites a trustworthy source.Like a lobster shell, security has layers — review code before you run it.
latestvk977t82jcsgqz7tybw6wrzcfq180twvy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.