ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Relay Link Bridge

v1.1.0

Professional Bridge & Swap skill using Relay.link. Supports automated execution and smart tracking for 70+ networks.

0· 39·0 current·0 all-time
by0xRapzz@flipz3ro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Relay Link bridge) match what the scripts do: call relay.link APIs, produce quotes, and sign/send transactions. Required binaries (curl, jq, cast, bc) and environment variables (private key and addresses) are expected for this functionality.
Instruction Scope
SKILL.md and the scripts instruct the agent to read ~/.openclaw/config.env for credentials, get quotes from api.relay.link, and prompt the user before signing/sending. That scope is appropriate for a bridge skill, but the tool will read a local config file containing your private key and will execute transactions if the interactive confirmation is answered 'yes' (or if an agent simulates that response). The SKILL.md explicitly requires showing a quote and waiting for user consent — follow that rule.
Install Mechanism
There is no remote install step or archive download; this is an instruction-only skill with included scripts. No downloads from untrusted URLs or extraction steps are present in the provided files.
Credentials
The requested environment variables (EVM_PRIVATE_KEY, EVM_ADDRESS, SOLANA_ADDRESS) are necessary to sign and route cross-chain transfers and are proportionate to the stated purpose. These are highly sensitive credentials; users should not store production/private funds in a key used by an automated script. Minor inconsistencies in naming exist (README mentions AVAX_PRIVATE_KEY; script expects EVM_PRIVATE_KEY and exports ETH_PRIVATE_KEY for cast), which can cause confusion but do not imply malicious intent.
Persistence & Privilege
The skill is not always-enabled, does not request elevated system privileges, and does not modify other skills or global agent settings. It only reads a user config file in ~/.openclaw/config.env and executes its own scripts.
Assessment
This skill appears to be what it says: a Relay.link bridge helper that reads a local config file and uses your private key to sign transactions. Before installing or running it: (1) Review the scripts yourself (they are included) so you understand exactly what will run. (2) Do not put large amounts in the key used by this skill — consider an ephemeral/test key or small-value tests first. (3) Ensure ~/.openclaw/config.env is protected (file permissions) and contains the environment variables the scripts expect (note README vs script naming mismatch: README mentions AVAX_PRIVATE_KEY, scripts use EVM_PRIVATE_KEY and export ETH_PRIVATE_KEY for cast). (4) Confirm the relay.link endpoints (api.relay.link) are correct and you trust them. (5) Because the scripts prompt interactively, ensure you (not an automated agent) approve transactions — if you allow autonomous agent invocation, an agent could respond to prompts and send transactions. If any of these points are unacceptable, do not install or run the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97194v61129ag49xn0e28r0rh83r808

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔀 Clawdis
Binscurl, jq, cast, bc
EnvEVM_PRIVATE_KEY, EVM_ADDRESS, SOLANA_ADDRESS

Comments