Etherscan Mcp Skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: etherscan-mcp-skill Version: 1.0.0 The skill bundle provides a structured interface for the OpenClaw agent to interact with Etherscan's Model Context Protocol (MCP) endpoint via the 'uxc' CLI tool. It includes comprehensive instructions for authentication setup, command aliasing (etherscan-mcp-cli), and safe 'help-first' discovery patterns for blockchain data retrieval. The validation script (scripts/validate.sh) and usage documentation (references/usage-patterns.md) reinforce legitimate usage and guardrails, with no evidence of malicious intent, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use your Etherscan API key for MCP calls, which could consume quota or expose account-level API usage to Etherscan.
The skill uses a bearer API key for Etherscan access. This is expected for the stated service, but users should notice that credentials are involved and that the registry metadata does not declare them.
An Etherscan API key is available for authenticated calls... `uxc auth credential set etherscan-mcp --auth-type bearer --secret-env ETHERSCAN_API_KEY`
Use a dedicated Etherscan API key with appropriate limits, confirm the UXC binding points only to mcp.etherscan.io/mcp, and rotate the key if it is no longer needed.
Your investigation targets and API-authenticated requests may be visible to Etherscan or the configured MCP transport.
The skill sends MCP requests through UXC to an external Etherscan endpoint. The endpoint is clearly disclosed and purpose-aligned, but user-supplied addresses, hashes, and authenticated requests will leave the local environment.
Network access to `https://mcp.etherscan.io/mcp`.
Avoid sending private investigation context unless you are comfortable sharing it with Etherscan, and review the exact command arguments before running them.
If used, the agent could submit contract verification-related data to Etherscan rather than only reading public blockchain data.
Most documented operations are reads, but verifySourceCode can be a write-like Etherscan action. The skill correctly flags it as requiring explicit confirmation.
Verification: - `verifySourceCode` - `checkVerifyStatus` ... - Treat `verifySourceCode` as a write-like action requiring explicit user confirmation.
Require explicit confirmation before verifySourceCode, review all source-code and metadata parameters, and prefer read-only operations unless verification is the user’s stated goal.
Available commands may depend on the local UXC installation and current Etherscan MCP behavior, not just the reviewed skill text.
The skill depends on an external UXC CLI and an evolving remote MCP tool surface. This is documented and mitigated by help-first inspection, but users should know the installed/local tooling and remote schemas are outside this artifact.
`uxc` is installed and available in `PATH`... Etherscan can expand MCP tools independently of this wrapper skill.
Use a trusted UXC installation, inspect `etherscan-mcp-cli -h` and operation-specific help before use, and avoid newly exposed write-like operations unless explicitly requested.