Typhoon Starknet Account

This skill appears to implement the advertised anonymous wallet + contract flows, but it performs several sensitive actions you should consider before installing: - Private keys are generated and stored on disk under ~/.openclaw/secrets/starknet. If you install/use this skill, your agent (and anyone with access to that path) can access those keys. Use a dedicated machine or isolated account and back up keys securely. - The event watcher can create cron jobs and modify your crontab (~/.openclaw/cron and system crontab). That gives the skill persistent, scheduled execution outside the agent. Only allow this if you trust the code and want continuous monitoring. - The watcher can POST events to user-specified webhook URLs. Verify any webhook targets and avoid exposing private data to unknown endpoints. - There is no automated install spec in the registry; you must run 'npm install' to fetch dependencies. Inspect package.json and the listed dependencies before installing, and consider installing in an isolated environment (container/VM) to limit blast radius. - The skill references environment variables (STARKNET_RPC_URL, PAYMASTER_URL, STARKNET_SECRETS_DIR) that are not declared as required in registry metadata — set them explicitly and review defaults (e.g., default RPC and paymaster hosts). Recommendations: - Review the create-account.js and watcher scripts locally to confirm behavior and tweak paths/cron behavior if necessary. - If you only need on-demand operations, avoid enabling the watcher/cron functionality. - Use an account with minimal funds for testing, and consider keeping secrets in a controlled secure store rather than defaulting to the home directory. Given the combination of local secret handling, crontab modification, and remote webhook capabilities, treat this skill as 'suspicious' unless you can fully audit and control how it is run.