BNB Chain
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it can use a BNB private key to make irreversible crypto transfers without built-in confirmation or clearly declared credential boundaries.
Only use this with a wallet you are prepared to risk, verify every recipient and amount manually, avoid command-line private keys, and do not keep BNB_PRIVATE_KEY available to the agent unless you intend it to be able to send funds.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended invocation could send funds to the wrong address, and blockchain transfers are generally irreversible.
The helper immediately signs and broadcasts a real BNB transfer using the provided destination and amount, without an enforced confirmation or safety check.
const tx = await wallet.sendTransaction({
to: toAddress,
value: ethers.parseEther(amount)
});Require explicit user confirmation immediately before any send, show the from/to/amount/gas details, add a dry-run mode, and consider spending limits or allowlists.
If the key is exposed or used unintentionally, funds controlled by that wallet could be moved.
The skill asks users to provide a wallet private key that can authorize transfers from that wallet; passing it directly on the command line can also expose it through shell history or process listings, and the registry metadata declares no primary credential.
export BNB_PRIVATE_KEY="0x..." Or pass it directly to the helper script.
Avoid passing private keys as command-line arguments, prefer a tightly scoped throwaway wallet or safer signing flow, declare BNB_PRIVATE_KEY as a sensitive credential, and remove the variable after use.
Installing dependencies can add third-party code to the skill environment.
The setup fetches an external npm dependency. This is expected for an ethers-based blockchain helper and a package lock is included, but users should still recognize the external dependency path.
cd ~/.openclaw/workspace/skills/bnb-chain && npm install ethers --silent
Use the included lockfile where possible, review dependency provenance, and install only from trusted npm sources.