Hedera Token Minting
v1.0.0Create and manage fungible tokens and NFTs on Hedera with minting, supply control, and permission configuration.
⭐ 0· 500·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and examples (using @hashgraph/sdk to create/mint/transfer/burn tokens) align with its stated purpose. Requiring the Hashgraph SDK is reasonable for Hedera token operations. However, the examples assume the presence of a Hedera client and private keys (treasuryKey, supplyKey, adminKey) without documenting how those credentials are supplied or secured.
Instruction Scope
SKILL.md gives concrete code for token operations and suggests `npm install @hashgraph/sdk`. It does not instruct the agent to read unrelated system files, but it references variables (client, treasuryId, supplyKey, treasuryKey, etc.) that imply access to sensitive credentials. There is no guidance on initializing the client, target network (testnet/mainnet), or secure key handling — leaving broad discretion about where keys come from.
Install Mechanism
This is an instruction-only skill with no install spec. The doc tells users to run `npm install @hashgraph/sdk`, which is a standard npm package install (traceable to the npm registry). That is expected for TypeScript examples but does carry the usual npm supply-chain considerations; no suspicious download URLs or archives are present in the skill itself.
Credentials
The runtime examples clearly require private keys and a configured Hedera client, but the skill declares no required environment variables, primary credential, or config paths. This mismatch is meaningful: the skill needs sensitive credentials to function but does not declare or constrain how they're provided, increasing risk of accidental key exposure or ad-hoc prompts for secrets.
Persistence & Privilege
The skill does not request persistent platform privileges (always is false), nor does it declare any config-path or cross-skill modification. It appears to rely on the agent executing user-supplied code snippets at runtime; no elevated platform presence is requested.
What to consider before installing
This skill appears to be a simple recipe for using the Hedera JavaScript/TypeScript SDK to create and manage tokens, which is coherent. However, the SKILL.md omits how to initialize the Hedera client or where private keys (treasuryKey, supplyKey, adminKey) should come from. Before installing or using the skill:
- Never paste real mainnet private keys into a tool or skill you don't fully trust. Prefer testnet keys for trial runs.
- Ask the publisher (or update the skill) to declare explicit environment variables or a secure key-loading procedure (e.g., use a secrets manager, environment variables with clear names, or hardware keys).
- Confirm whether the agent will prompt for keys or try to read them from files or environment variables. If it prompts, prefer to supply ephemeral/test keys or perform operations manually.
- Audit the @hashgraph/sdk version you install and pin a known-good version; run npm audit and review release notes for security issues.
- If you need higher assurance, request the skill include a secure example of client initialization (showing network selection, operator configuration, and explicit env var names) and clear instructions for safe key management.
I rated this 'suspicious' (medium confidence) because the core functionality matches the description but the omission of credential handling is a notable inconsistency. Providing declared env vars or a secure key-handling workflow would increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk9774vwqeb3kdk81yc567t83k9815sd9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.