NEAR Agent Skills
Analysis
The skill appears to be a read-only NEAR blockchain analytics/gas helper that uses expected public APIs and npm dependencies, with no wallet access or account-changing behavior shown.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
"scripts": { "build": "tsc", "test": "vitest run" }, ... "dependencies": { "near-api-js": "^5.0.1", "node-fetch": "^2.7.0" }The skill relies on npm dependencies and a TypeScript build step. This is expected for a Node-based blockchain skill, and no postinstall script or hidden downloader is shown, but dependency provenance still matters.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
fetch(`https://api.nearblocks.io/v1/account/${account_id}/txns?limit=25`)The gas history function sends the requested account ID to a third-party Nearblocks API. This is purpose-aligned for blockchain analytics, but it discloses which account the user is querying.