ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blockchain Web3 Toolkit

v1.0.0

Comprehensive blockchain toolkit for Ethereum wallet management, smart contract interaction, NFT minting, token balance checks, and gas fee monitoring.

0· 14·1 current·1 all-time
byLv Lancer@kaiyuelv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (Ethereum wallet, contracts, NFT, gas monitoring) matches the included Python modules (wallet_manager, contract_interface, nft_tools, gas_monitor). However, the registry lists no required environment variables while the code expects INFURA_API_KEY (used in NETWORKS) and README mentions ETHERSCAN_API_KEY; this mismatch means the metadata understates external network access required.
!
Instruction Scope
SKILL.md shows example shell commands for scripts like create_wallet.py, get_balance.py, deploy_contract.py, mint_nft.py, but those specific script files are not present in the file manifest. The code that is present does perform network calls (Infura RPC via RPC URLs) and handles private keys (create/import/export). The SKILL.md is therefore inaccurate and grants the agent vague authority to run files that don't exist, which is scope-incoherent.
Install Mechanism
There is no install spec (instruction-only behavior with bundled source files). No remote downloads or install-time code execution are declared, which minimizes install-time risk. The package has a requirements.txt declaring standard Python Web3 dependencies.
!
Credentials
The code reads INFURA_API_KEY (via python-dotenv/load_dotenv) to build RPC URLs but the registry metadata declares zero required environment variables; README also mentions ETHERSCAN_API_KEY and DEFAULT_NETWORK though ETHERSCAN_API_KEY is not used in the code. Requesting RPC credentials (INFURA key) is expected for a Web3 toolkit, but the omission from metadata is an incoherence and a practical risk (users may not realize an API key is needed). The code and examples also print or expose private keys (examples and tests), which is sensitive behavior that should be highlighted.
Persistence & Privilege
The skill is not set to always: true, does not declare system-wide config changes, and does not request persistent elevated privileges. It will operate only when invoked. No evidence it tries to modify other skills or global agent settings.
What to consider before installing
This package appears to implement a reasonable Web3 toolkit, but there are several red flags you should consider before installing or running it: - Metadata vs code mismatch: The registry claims no required env vars, but wallet_manager.py expects INFURA_API_KEY (and README mentions ETHERSCAN_API_KEY). Treat INFURA_API_KEY as required and keep it secret. - SKILL.md inaccuracies: The documented shell commands reference scripts that are not included. Don't assume the examples fully reflect runtime behavior—inspect the actual scripts before running. - Private key handling: Examples and wallet creation routines print or return raw private keys. Never run this on a machine or channel where output could be captured or logged; never supply real mainnet private keys unless you fully trust the code and environment. - Network access: The code connects to Infura RPC endpoints. Only run in an environment where outbound network calls are acceptable and you're comfortable providing an INFURA API key. - Verify source and provenance: The skill's source/homepage is unknown. Prefer packages with a verifiable origin or review the code manually (especially deploy/send_transaction paths) before use. Consider running the included unit tests in an isolated environment and audit any scripts that send transactions to avoid accidental fund loss. If you plan to use it: inspect contract deployment and transaction signing code paths, supply an INFURA_API_KEY via a secure .env or secrets mechanism, and test only on a testnet (sepolia/goerli) with throwaway keys first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97awrw2b1r5cj2bc510z2wwcx84m1gy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments