ClawHub

circle chain skill

v1.1.1

JavaScript SDK and CLI for Circle Chain (@lidh04/circle-chain-sdk): user auth, wallet, block, miner, transfers, contacts. Global CLI binary `circle`. Use whe...

0· 103·0 current·0 all-time
byCharles@lidh04
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md describes a JS SDK and global CLI (npm package @lidh04/circle-chain-sdk). All instructions (build, test, npm install -g, node ./dist/mjs/cli) match that purpose; nothing in the metadata asks for unrelated capabilities.
Instruction Scope
Instructions are focused on using and developing the SDK/CLI (installing package, running CLI commands, building, mining flows). The document does not instruct reading arbitrary system files, scanning env vars, or exfiltrating data to unexpected endpoints. It documents API patterns including auth flows, wallets, mining and transfers which are expected for this domain.
Install Mechanism
There is no formal install spec in the skill bundle (lowest static install risk). The README recommends running `npm install -g @lidh04/circle-chain-sdk`, which is normal for a CLI but will pull code from npm at runtime — the package has no homepage/source listed in the skill metadata, so the actual package contents cannot be vetted from this skill alone.
Credentials
The skill does not declare or require environment variables or config paths. Auth and payment concepts are described in the SDK usage (email/verify-code, payPassword) but those are usage-level parameters rather than environment secrets demanded by the skill bundle itself.
Persistence & Privilege
Skill flags: always=false, user-invocable=true, model invocation allowed. The skill is instruction-only and does not request permanent platform-level presence or modify other skills/configuration.
Assessment
This skill's instructions are consistent with a CLI/SDK for a blockchain project, but the package source and homepage are not provided in the metadata. Before installing or running the global npm package: (1) verify the package page on the npm registry and the author/maintainer; (2) review the package's repository/source code if available; (3) avoid global install on a production machine—prefer local install or a disposable sandbox/container; (4) be cautious when exercising wallet/mining/transfer commands (they may perform network calls and move funds); (5) if you need higher assurance, ask the publisher for the repository URL and verify package integrity (checksums/signatures) or run npm audit. Providing the package homepage/repo would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk978frh61gvads16qdrzp5b2yx8390p3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments