ClawHub

Etherscan

v1.0.0

Use when you need to query Etherscan API V2 for onchain activity, contract metadata, ABI/source retrieval, proxy implementation discovery, and transaction/lo...

0· 441·0 current·0 all-time
byDavid@davidtaikocha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md clearly requires an ETHERSCAN_API_KEY and describes API usage across multiple chains, but the registry metadata lists no required environment variables or primary credential. That mismatch suggests the manifest is incomplete or the skill will prompt for/expect secrets without declaring them.
Instruction Scope
Runtime instructions stay focused on querying Etherscan V2 (constructing API URLs, parsing responses, proxy-aware ABI resolution, pagination and throttling). They do not ask to read arbitrary system files or call unrelated endpoints.
Install Mechanism
This is instruction-only with no install spec and no code files — low install risk. Nothing is downloaded or written by an installer according to the manifest.
!
Credentials
The SKILL.md instructs users to set and use ETHERSCAN_API_KEY, yet requires.env is empty and primary credential is none. The skill also suggests persisting scan cursors/checkpoints but lists no config paths. Requesting/using an API key without declaring it is disproportionate and a registry oversight.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The guidance to persist cursors/state is reasonable for long scans, but the skill doesn't declare where or how to store that state (no config paths). Confirm expected storage location and permissions before use.
What to consider before installing
This appears to be a legitimate Etherscan-client instruction set, but the registry metadata is incomplete: SKILL.md expects an ETHERSCAN_API_KEY and suggests saving scan checkpoints, yet the skill manifest declares no environment variables or config paths. Before installing, ask the publisher to (1) declare ETHERSCAN_API_KEY (and its scope) in requires.env/primary credential, (2) confirm where persisted cursors/checkpoints are stored and what filesystem access is required, and (3) ensure the skill redacts the API key from any returned text (SKILL.md says to return the exact URL/query 'without exposing secret key'—verify enforcement). Also prefer creating a least-privilege/limited-rate API key and validate client-side throttling to avoid accidental overuse. If you cannot obtain these clarifications, treat the skill as untrusted and avoid supplying high-privilege API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqawmhywajyt0h107jw3ek981qgaa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments