OpenScan Crypto
v1.0.0Navigate and query crypto networks via OpenScan infrastructure. Use when the user asks about blockchain data — balances (ETH, ERC20, BTC), blocks, transactio...
⭐ 0· 349·0 current·0 all-time
byJose Aloha@josealoha666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code and CLI: the code implements network listing, token lookup, event decoding, price-from-pools, RPC management, and EVM/BTC queries. Requested dependencies (npm @openscan/network-connectors) and CDN metadata are coherent with a network/RPC-focused tool.
Instruction Scope
Runtime instructions and CLI operate as expected, but the CLI auto-fetches metadata from jsDelivr/npm and persists RPC configuration and cached metadata under ~/.config/openscan-crypto and ~/.cache/openscan-crypto. It also makes runtime HTTP(S) requests to 4byte.directory, the npm registry, the CDN, and configured RPC endpoints — all consistent with its purpose but worth being aware of.
Install Mechanism
Registry metadata lists no install spec, however the repo includes install.sh and package.json; installation relies on npm install to pull @openscan/network-connectors. Pulling packages from npm and fetching metadata from jsDelivr/npm registry is standard for this kind of tool but adds supply-chain risk (third-party packages and remote metadata).
Credentials
The skill requests no environment variables or credentials. It reads and writes only its own config/cache files under the user's home directory (~/.config/openscan-crypto, ~/.cache/openscan-crypto), which is proportionate for a CLI that caches metadata and stores RPC selections.
Persistence & Privilege
always:false and no attempt to modify other skills or global agent settings. The skill persists its own configuration and cache under user-owned paths only; this is expected behavior for a CLI and within the scope of its stated functionality.
Assessment
This skill appears to do what it says: a read-only blockchain query CLI that fetches metadata from jsDelivr/npm and may install an npm dependency. Before installing, consider: 1) inspect package.json/@openscan/network-connectors (npm package) or run npm install in an isolated environment to reduce supply-chain risk; 2) be aware the CLI will create ~/.config/openscan-crypto/rpc-config.json and ~/.cache/openscan-crypto, and will fetch metadata from the npm registry and jsDelivr plus 4byte.directory — review those endpoints if you need to limit external calls; 3) RPC calls are made to endpoints from the metadata (or ones you add) — those nodes will see your requests (this is expected for an RPC client); 4) if you need stronger assurance, run the CLI inside a sandboxed user account or container and review the installed npm dependency source before trusting it. Overall the footprint is coherent with the declared purpose, but network and supply-chain considerations are the primary residual risks.Like a lobster shell, security has layers — review code before you run it.
latestvk97bj8k40whyxttk0yktcgr2rx81yk3j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.