ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zora NFT Pro

v1.0.0

Generates a Nano Banana style NFT and deploys it to the Zora Network.

0· 1k·0 current·0 all-time
by@eshraqism

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for eshraqism/skill-zorapro.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Zora NFT Pro" (eshraqism/skill-zorapro) from ClawHub.
Skill page: https://clawhub.ai/eshraqism/skill-zorapro
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install eshraqism/skill-zorapro

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-zorapro
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and scripts both require GEMINI_API_KEY, PRIVATE_KEY, and ZORA_RPC_URL which are reasonable for image generation + on-chain deployment, but registry metadata claims no required env vars — a clear inconsistency. The included code claims to upload to IPFS and deploy a Zora contract but contains placeholder values ('ipfs://...', '0x...') and no real upload/contract bytecode, so the implementation does not actually match the claimed end-to-end capability.
!
Instruction Scope
Instructions explicitly ask for a private wallet key (PRIVATE_KEY) and to perform on-chain contract creation/signing. That is within the stated purpose but is high-risk: the skill has no instructions for safe signing (e.g., external/hardware signing, confirmation prompts, or testnet-only operation). SKILL.md doesn't specify which IPFS/Zora endpoints or how to avoid leaking keys; the instructions give the agent broad ability to sign and send transactions.
Install Mechanism
There is no install spec in the registry (install-type none), yet the package includes requirements.txt listing google-generativeai, web3, and requests. That mismatch means the skill may expect dependencies to be installed but doesn't declare how — increasing operational friction and risk if a runtime environment installs packages without vetting. Dependencies come from public PyPI packages (moderate risk) rather than unknown download URLs.
!
Credentials
Requesting GEMINI_API_KEY and ZORA_RPC_URL is proportional to the stated functionality. Requesting PRIVATE_KEY is functionally necessary to sign and deploy contracts, but it is extremely sensitive. The registry metadata claiming no required env vars contradicts the code and SKILL.md, which is suspicious and could lead users to unknowingly expose credentials. There are no safeguards (e.g., prompts, warnings, or support for delegated signing) in code or docs.
Persistence & Privilege
always:false and no install spec that modifies system or other skills. The skill does not request persistent platform-wide privileges. However, since model invocation is allowed (default), an agent running this skill with a supplied PRIVATE_KEY could autonomously sign transactions — combine that with the prior concerns.
What to consider before installing
This skill needs a real wallet private key to sign and send transactions — exposing a private key to any third-party skill is high risk. Before installing: 1) Verify the publisher and source (homepage is missing and metadata owner is opaque). 2) Do not provide a funded mainnet private key; use a throwaway/test wallet or an account with very limited funds and permissions. 3) Inspect and complete the code yourself — the script contains placeholders for IPFS upload and contract bytecode; it is not a finished deployer. 4) Prefer workflows that require external signing (hardware wallet or separate signing service) rather than storing PRIVATE_KEY in environment variables. 5) If you must test: run in an isolated environment, on testnet, and monitor outgoing network requests. 6) Ask the author for an install spec and for proof of the exact contracts/bytecode used and for safe signing patterns before trusting real assets.

Like a lobster shell, security has layers — review code before you run it.

latestvk975k0prq8n0d1pj13r2wee13n80yyan
1kdownloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@eshraqism
latest
Download

Nano Banana Zora Deployer

This can design a character using the Nano Banana visual style and immediately deploy it as an NFT on Zora.

Functions

  • create_and_mint_nft(prompt, collection_name, symbol):
    1. Generates an image via Nano Banana.
    2. Uploads the image to IPFS.
    3. Deploys a new NFT contract on Zora.

Environment Variables Required

  • GEMINI_API_KEY: For Nano Banana generation.
  • PRIVATE_KEY: Your wallet key for Zora deployment.
  • ZORA_RPC_URL: https://rpc.zora.energy

Developer : x.com/kakashi310 Buy me a coffe : Multichain : 0xB83C23b34E95D8892F067F823D6522F05063a236

Comments

Loading comments...