ClawHub
Back to skill
v1.0.0

Abstract Toolkit

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:21 AM.

Analysis

This toolkit is coherent for Abstract blockchain work, but it needs careful review because it uses a raw wallet private key to perform irreversible mainnet transfers, swaps, bridges, deployments, and arbitrary contract writes.

GuidanceOnly install or use this with a disposable, low-balance wallet and explicit human approval for each transaction. Verify contract addresses, router addresses, and dependency versions before signing anything, and prefer testnet until the workflow is proven safe.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/call-contract.js
else if (args[i] === "--write") isWrite = true;
...
const tx = await contract[functionName](...functionArgs, {
  value: ethers.parseEther(value)
});

The script can call any user-specified contract function with arbitrary arguments and optional ETH value when --write is used, without an allowlist, simulation requirement, or confirmation step in the script.

User impactA mistaken or manipulated contract address, ABI, function name, or argument could trigger unintended on-chain changes or asset movement.
RecommendationDefault to read-only calls, require per-transaction approval, simulate transactions before sending, and restrict write calls to known contracts/functions where possible.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install ethers zksync-ethers viem
npm install @matterlabs/hardhat-zksync
npm install @abstract-foundation/agw-client

The setup instructions install unpinned npm packages that are expected for this toolkit, but those packages may handle wallet keys and transaction signing.

User impactDependency changes or compromised packages could affect a wallet-signing workflow if the user installs them without verification.
RecommendationPin dependency versions, review package provenance, use a lockfile, and install in a separate project environment before providing wallet credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
export WALLET_PRIVATE_KEY=0x...
node scripts/relay-bridge.js --from base --amount 0.01
...
node scripts/transfer.js --to 0x... --amount 0.01

The skill asks for a raw wallet private key for asset-moving operations. This is purpose-aligned for blockchain transactions, but it is high-impact authority and the registry metadata declares no primary credential or required environment variable.

User impactIf used with a real wallet, the agent can sign irreversible transactions that spend, move, bridge, swap, or deploy using that wallet.
RecommendationUse a dedicated low-balance wallet, test on testnet first, never provide a primary wallet key, and require explicit human review for every transaction.