RouteMesh Crypto RPC
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: routemesh-crypto-rpc Version: 1.0.0 The skill is classified as suspicious due to the `--url` parameter described in `SKILL.md`. This parameter allows the skill to make network requests to arbitrary endpoints, which is a powerful and risky capability. While potentially useful for legitimate purposes (e.g., custom RPC endpoints), it could be abused to direct the agent to malicious external servers or internal network resources if the agent were compromised or given malicious input, without clear malicious intent within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent may make RouteMesh API calls using your API key.
The skill expects a RouteMesh API key so the agent can authenticate to the RouteMesh RPC service. This is purpose-aligned, but it gives the agent delegated access to the user's RouteMesh account quota/permissions.
export ROUTEMESH_API_KEY="rm_...your_key..."
Use a scoped or disposable RouteMesh key where possible, keep it out of logs and shared shell history, and verify calls go to the intended RouteMesh endpoint.
A mistaken or overly broad request could query the wrong chain/method or send request data to a non-default endpoint if the URL is changed.
The documented interface allows arbitrary JSON-RPC methods, parameters, and a base URL override. This flexibility is central to the skill's purpose, but it should remain user-directed and targeted at trusted endpoints.
- `--method`: JSON-RPC method ... - `--params`: JSON string for params ... - `--url`: optional base URL
Review the chain ID, method, params, and URL before running examples; prefer the default RouteMesh URL unless you intentionally need another endpoint.
The documented commands may not work as packaged, or a user may need to obtain the helper script from elsewhere before using the skill.
The skill instructs use of a helper script path, while the provided artifact set is instruction-only with no code files. This is a provenance/completeness gap rather than evidence of malicious behavior.
python3 "{baseDir}/scripts/routemesh_rpc.py"Confirm the helper script is included from a trusted source before running it, or use a direct, reviewed JSON-RPC request instead.