juicy
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Juicebox/web3 reference skill, but generated pages may ask your wallet to sign or send real blockchain transactions and use third-party APIs.
Use this skill only if you expect Juicebox/web3 development help. Before using any generated UI with a real wallet, inspect the generated code, pin dependencies, confirm all chain and contract settings, prefer testnets or small amounts first, keep private keys out of the browser, and use server-side handling for API keys when possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a generated UI is used with incorrect project, chain, or contract settings, the user could send funds or interact with the wrong contract.
The generated interaction UI can initiate a wallet-authorized on-chain payment. This is central to a Juicebox interaction skill and requires wallet confirmation, but it is still a real financial action.
const hash = await walletClient.writeContract({
address: terminal,
abi: TERMINAL_ABI,
functionName: 'pay',
...
value,
account: address
});Review every generated transaction, especially project ID, chain ID, contract address, calldata, and amount. Test with small amounts or testnets before using real funds.
A signed forward request can authorize the encoded action on the specified chain and forwarder until it expires.
The omnichain template asks the user to sign typed forward requests that can be relayed later within a 48-hour deadline. This is purpose-aligned for Relayr-style deployment, but it is delegated wallet authority.
const deadline = Math.floor(Date.now() / 1000) + 48 * 60 * 60;
const signature = await walletClient.signTypedData({
account: address,
domain,
types,
primaryType: 'ForwardRequest',
message
});Only sign typed data after verifying the chain, forwarder, target contract, deadline, and decoded calldata. Avoid signing if the wallet prompt is unclear.
Relay/API providers may see wallet addresses, chains, signed request data, and transaction intent.
The template sends signed transaction requests to the external Relayr API. This is disclosed and aligned with multi-chain deployment, but it creates a third-party data and execution boundary.
const response = await fetch(`${RELAYR_API}/v1/bundle/prepaid`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ transactions: signedRequests, virtual_nonce_mode: 'Disabled' })
});Use trusted official endpoints, review request bodies before sending, avoid sensitive memos or metadata, and do not expose private API keys in public client-side deployments.
A changed or compromised remote dependency could alter generated wallet-interaction pages.
Generated browser templates import wallet/transaction libraries from an external CDN at runtime. This supports the no-build UI pattern, but unpinned remote dependencies can affect transaction behavior if the dependency source changes.
import { createPublicClient, createWalletClient, http, custom, formatEther, parseEther, getContract } from 'https://esm.sh/viem';Pin exact dependency versions, bundle dependencies, or use integrity-checked trusted copies before deploying a production wallet UI.