Hedera Token Minting
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, an agent or user could move tokens to the wrong account or on the wrong network with limited ability to reverse the action.
The skill provides a direct token-transfer execution example. Blockchain transfers can be irreversible, and the artifact does not require explicit user confirmation, recipient validation, amount checks, fee preview, or network selection before execution.
await new TransferTransaction().addTokenTransfer(tokenId, fromAccount, -10).addTokenTransfer(tokenId, toAccount, 10).execute(client);
Require an explicit confirmation step before any transaction, display network, account, token ID, recipient, amount, fees, and operation type, and default to testnet or dry-run guidance before mainnet execution.
A mistaken burn could permanently destroy token supply or affect a production token.
The skill includes a token burn operation that can permanently reduce token supply, but it does not define approval, reversibility, safeguards, or scope limits.
await new TokenBurnTransaction().setTokenId(tokenId).setAmount(100).execute(client);
Add guardrails requiring user approval, token ownership verification, amount confirmation, and a clear warning that burns are permanent before execution.
Using the wrong key or exposing these keys could allow unintended token administration, minting, burning, or treasury actions.
The examples rely on powerful Hedera keys for administration, supply control, and treasury signing. This is expected for token minting, but the registry metadata declares no credential requirements and the skill gives no key-handling boundaries.
.setAdminKey(adminKey).setSupplyKey(supplyKey).freezeWith(client).sign(treasuryKey);
Clarify required credentials, advise least-privilege key use, avoid sharing private keys with the agent unless necessary, and document secure key storage and signing practices.
Installing an unpinned package can result in different code being installed over time, depending on the latest package release.
The setup uses a third-party npm package without a pinned version. This is purpose-aligned for Hedera development, but users should understand the dependency provenance and version they install.
npm install @hashgraph/sdk
Pin a reviewed SDK version and install from the official package source; consider documenting the expected version and checksum or lockfile.