RouteMesh Crypto RPC
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent may make RouteMesh API calls using your API key.
The skill expects a RouteMesh API key so the agent can authenticate to the RouteMesh RPC service. This is purpose-aligned, but it gives the agent delegated access to the user's RouteMesh account quota/permissions.
export ROUTEMESH_API_KEY="rm_...your_key..."
Use a scoped or disposable RouteMesh key where possible, keep it out of logs and shared shell history, and verify calls go to the intended RouteMesh endpoint.
A mistaken or overly broad request could query the wrong chain/method or send request data to a non-default endpoint if the URL is changed.
The documented interface allows arbitrary JSON-RPC methods, parameters, and a base URL override. This flexibility is central to the skill's purpose, but it should remain user-directed and targeted at trusted endpoints.
- `--method`: JSON-RPC method ... - `--params`: JSON string for params ... - `--url`: optional base URL
Review the chain ID, method, params, and URL before running examples; prefer the default RouteMesh URL unless you intentionally need another endpoint.
The documented commands may not work as packaged, or a user may need to obtain the helper script from elsewhere before using the skill.
The skill instructs use of a helper script path, while the provided artifact set is instruction-only with no code files. This is a provenance/completeness gap rather than evidence of malicious behavior.
python3 "{baseDir}/scripts/routemesh_rpc.py"Confirm the helper script is included from a trusted source before running it, or use a direct, reviewed JSON-RPC request instead.