OpenChainBench Contributor
PassAudited by ClawScan on May 15, 2026.
Overview
This instruction-only contributor guide appears benign, with expected cautions around running repo commands, protecting API keys, and hosting a public metrics endpoint.
Before using this skill, make sure you trust the OpenChainBench repository before running pnpm commands, keep provider API keys out of commits, and review what your public `/metrics` endpoint exposes and costs to operate.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running dependency installation or build scripts in a cloned repo can execute project code on the user's machine.
The skill asks the user to clone an external repository and install project dependencies. This is normal for local contribution validation, but it means the user is trusting that repository and its package scripts.
`git clone https://github.com/OpenChainBench/OpenChainBench && cd OpenChainBench` ... `pnpm install`
Review the repository and package scripts before running pnpm commands, and use a normal development sandbox if possible.
Improperly scoped or accidentally committed API keys could expose provider accounts or incur costs.
The harness may require provider API keys. The instruction is purpose-aligned and explicitly warns not to commit secrets, but credential handling is still security-relevant.
Read API keys from environment variables. Never commit them.
Use least-privilege API keys, store them outside the repo, and confirm `.env` files are ignored before committing.
A hosted harness can continue consuming resources and exposing metrics until the user shuts it down or changes access controls.
The workflow involves a persistent public service. This is disclosed and central to the benchmark design, but users should understand the ongoing operational exposure.
The harness is a long-running data producer... Run continuously and expose `/metrics` over HTTPS on a stable port.
Monitor hosting costs, avoid exposing secrets in metrics, and ensure the harness can be stopped or rotated if needed.