ClawHub

Abstract Onboard

v1.6.0

Deploy smart contracts and bridge assets to Abstract (ZK Stack L2). Use when an agent needs to deploy contracts on Abstract, bridge ETH/tokens to Abstract, trade/swap tokens, place predictions on Myriad Markets, check balances, transfer assets, or interact with Abstract mainnet. Covers zksolc compilation, Hardhat deployment, Relay bridging, DEX trading (Kona, Aborean), Myriad prediction markets, and key contract addresses.

5· 2k·2 current·2 all-time
by@masoncags-tech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (deploy, bridge, trade, manage AGW on Abstract) match the included scripts and reference docs. The code implements the advertised capabilities (deploy-abstract, relay-bridge, swaps, Myriad interactions, AGW creation).
!
Instruction Scope
SKILL.md and scripts instruct the agent/user to provide private keys (WALLET_PRIVATE_KEY or PRIVATE_KEY) and to run actions that transfer value (bridge, swap, transfer, approve). Some scripts (bridge-usdc-relay.js) automatically compute the full token balance and execute all steps returned by an external quote API, effectively bridging nearly the entire balance without an explicit per-step confirmation. Scripts expect and will use secrets and can perform irreversible on-chain operations — this is in-scope for the stated purpose but requires clear user consent and safeguards; the skill's instructions do not enforce or document enough safety checks.
Install Mechanism
There is no install spec in registry metadata (instruction-only), but a package.json with dependencies (ethers, zksync-ethers, viem, @abstract-foundation/agw-client) is included. Installing these via npm is expected for functionality; there are no obscure external download URLs in the manifest. However the install step is not declared in the registry metadata, which is an omission the user should be aware of.
!
Credentials
Registry metadata states 'Required env vars: none', but many scripts and SKILL.md explicitly require WALLET_PRIVATE_KEY or PRIVATE_KEY, and some accept ABSTRACT_RPC/ABSTRACT_RPC/DEX_ROUTER and other env vars. Requiring a private key is proportionate to the claimed functionality, but the metadata omission is a significant mismatch and the skill asks for highly sensitive secrets without declaring them. Multiple env var names are used inconsistently across scripts (WALLET_PRIVATE_KEY vs PRIVATE_KEY), increasing risk of accidental use of the wrong secret.
Persistence & Privilege
The skill does not request always:true, does not attempt to alter other skills or system-wide settings, and is not marked to run persistently. It operates as invoked — autonomy is allowed by default but not elevated here.
Scan Findings in Context
[base64-block] unexpected: The pre-scan flagged a base64-block pattern in SKILL.md content. I did not find an obvious embedded base64 payload in the truncated SKILL.md or visible files; this may be a false positive (e.g., an IPFS/Qm hash or other encoded data elsewhere). Nonetheless, any unexpected embedded blocks would be suspicious — review the full SKILL.md and all files for encoded data before trusting the skill.
What to consider before installing
This skill appears to implement the advertised Abstract (ZK Stack L2) operations, but the registry metadata is misleading: it claims no required environment variables while the scripts repeatedly expect your wallet private key (WALLET_PRIVATE_KEY or PRIVATE_KEY) and will sign and send real transactions (bridge, swap, transfer, deploy). Before installing or running it: - Do not provide your mainnet private key to this skill without strong review and safeguards. Treat the key as highly sensitive. - Audit the scripts you plan to run. The bridge script will attempt to bridge nearly the entire token balance automatically — run it only after inspecting the code and testing on testnet with a throwaway key. - Prefer using a testnet or a throwaway wallet first to validate behavior, or use a hardware wallet / multisig where feasible (these scripts expect raw private keys and will not work with hardware wallets as-is). - Pin and inspect dependencies locally (package.json). Run npm install in an isolated environment and review node_modules or use reproducible lockfile to avoid supply-chain risks. - Note inconsistent env var names across scripts (WALLET_PRIVATE_KEY vs PRIVATE_KEY). Use caution to avoid accidentally exposing the wrong key. - If you decide to use it, run each action manually (read the script, run in dry-run or with small amounts) and avoid any script that automatically moves your entire balance without confirmation. Given the metadata omissions and potentially destructive defaults, treat this skill as suspicious until you (or a trusted auditor) verify the code and run it in a safe environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bqj4s30gg93gcja8kfrnfj580nc84

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments