ClawHub

BNB Chain NFT

NFT operations on BNB Chain — get NFT metadata, check ownership, list NFTs by owner, transfer ERC-721 tokens, get collection info. Use for any NFT-related tasks on BSC.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.3k · 0 current installs · 0 all-time installs
by@CLAWZAI
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the included code: nft.js implements ERC-721 read/write operations on BNB Chain. The package.json and package-lock.json list ethers as the only dependency, which is appropriate for the stated purpose.
Instruction Scope
SKILL.md accurately documents commands and notes the need for a private key for write operations. However the skill's manifest declared no required env vars/binaries while the runtime instructions expect Node.js/npm and optionally BNB_PRIVATE_KEY and BNB_RPC_URL. SKILL.md also instructs running npm install ethers (network access) and fetching tokenURI HTTP URLs when present (fetches arbitrary metadata endpoints).
Install Mechanism
There is no automated install spec in the registry; installation is instruction-only (npm install). This pulls packages from the public npm registry (ethers and its dependencies) which is common for Node skills but is a moderate-risk action compared with instruction-only skills that require no package downloads.
Credentials
The only sensitive secret referenced is BNB_PRIVATE_KEY (used only for transfer/approve/setApprovalForAll operations) and an optional BNB_RPC_URL. These are proportionate to on-chain write operations. The manifest did not declare BNB_PRIVATE_KEY as a required env var, so the discrepancy should be noted before use.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It is instruction-only and runs as a CLI script (no automatic background installation or modification of other skills).
Assessment
This skill appears to do what it claims—interact with ERC‑721 contracts on BNB Chain—but take these precautions before installing or running it: - The registry metadata omits runtime requirements: you need Node.js/npm to run nft.js and the SKILL.md asks you to run npm install. Don't run npm install in a sensitive environment without review. - The SKILL.md mentions BNB_PRIVATE_KEY for write actions; the manifest didn't declare this env var. Only provide a private key if you trust the code and understand the risk. Prefer using a testnet key or an ephemeral wallet for testing. - The script fetches tokenURI URLs (arbitrary HTTP(S) endpoints). Metadata fetches will contact third-party servers and the responses are printed to stdout — avoid sending logs/outputs to untrusted endpoints if you care about privacy. - Verify BNB_RPC_URL (default is public Binance RPC). Consider using a trusted RPC provider or your own node to avoid MITM or rate-limiting issues. - Review nft.js yourself (or have someone else review) before giving it access to any real private key. If you only need read-only info, avoid supplying a private key or run the read commands only. If you want higher assurance, ask the skill author to declare required env vars (BNB_PRIVATE_KEY optional, BNB_RPC_URL optional) and required binaries (node/npm) in the registry metadata and to provide reproducible release/source provenance.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk9743sqsjs661mrw78m4w751xn80bt7a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

BNB Chain NFT Skill

ERC-721 NFT operations on BNB Chain (BSC).

Setup

Requires Node.js and ethers.js:

cd ~/.openclaw/workspace/skills/bnb-nft && npm install ethers --silent

Configuration

For write operations (transfer, approve), set private key:

export BNB_PRIVATE_KEY="0x..."

Or pass with --key flag.

Usage

All operations use: nft.js

Get Collection Info

node nft.js collection <contract_address>

Returns name, symbol, total supply (if available).

Get NFT Metadata

node nft.js metadata <contract_address> <token_id>

Returns owner, tokenURI, and fetched metadata (if URI is HTTP).

Check NFT Owner

node nft.js owner <contract_address> <token_id>

List NFTs Owned by Address

node nft.js owned <contract_address> <wallet_address> [--limit 100]

Scans token IDs to find NFTs owned by wallet. Use --limit to cap the scan range.

Get Wallet's NFT Balance

node nft.js balance <contract_address> <wallet_address>

Returns count of NFTs owned in collection.

Transfer NFT

node nft.js transfer <contract_address> <to_address> <token_id> [--key <private_key>]

Approve NFT for Transfer

node nft.js approve <contract_address> <spender_address> <token_id> [--key <private_key>]

Set Approval for All

node nft.js approve-all <contract_address> <operator_address> <true|false> [--key <private_key>]

Check if Approved

node nft.js is-approved <contract_address> <token_id> <spender_address>

Popular NFT Collections (BSC Mainnet)

CollectionAddress
Pancake Squad0x0a8901b0E25DEb55A87524f0cC164E9644020EBA
Pancake Bunnies0xDf7952B35f24aCF7fC0487D01c8d5690a60DBa07
BakerySwap0x5d0915E32b1fb1144f27B87C9f65AC3f661C9e6D

Security Notes

  • Never commit private keys to git
  • Always verify contract addresses before interacting
  • Use testnet for testing transfers first
  • Check approval status before marketplace listings

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…