ClawHub
Back to skill
v1.0.0

Ethereum Read Only

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:17 AM.

Analysis

This is a read-only Ethereum command guide; the main things to notice are the user-directed Foundry remote installer and optional RPC provider API keys.

GuidanceBefore installing, confirm you trust the Foundry installer source and use a dedicated RPC API key if you need one. The visible artifact is read-only and does not require wallet private keys; do not provide private keys or seed phrases for this skill.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -L https://foundry.paradigm.xyz | bash
foundryup

The guide asks the user to execute a downloaded installer and updater for Foundry. This supports the skill's purpose, but it is an unpinned remote install path.

User impactIf the installer source were compromised or spoofed, it could run code locally under the user's account.
RecommendationVerify the Foundry URL and project provenance before running the installer; prefer trusted package-manager or pinned installation methods where possible.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export ETH_RPC_URL="https://eth-mainnet.alchemyapi.io/v2/YOUR-API-KEY"

The guide uses RPC provider API keys in environment variables. This is expected for blockchain read access, but the key can identify the provider account and consume quota.

User impactThe RPC provider may see queried addresses/contracts, and a leaked key could be used against the user's API quota.
RecommendationUse a dedicated low-privilege RPC key, avoid sharing it in chats or logs, and do not provide wallet private keys because this skill does not need them.