Use Arc
AdvisoryAudited by Static analysis on Mar 16, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user mishandles or exposes the private key, someone else could control that wallet.
The skill documents use of a wallet private key for deployment. This is expected for smart-contract deployment guidance, but private keys are high-impact credentials.
PRIVATE_KEY= # Deployer wallet private key
Use a dedicated testnet deployer wallet, avoid pasting private keys into chat, prefer encrypted keystores or secure secret managers, and never reuse a wallet that holds real funds.
Running deployment commands can publish contracts or transactions to the configured network.
The example command broadcasts a blockchain deployment transaction using a private key. This is aligned with the skill's developer purpose and limited to Arc Testnet, but it is still a state-changing action.
forge create src/MyContract.sol:MyContract \ --rpc-url $ARC_TESTNET_RPC_URL \ --private-key $PRIVATE_KEY \ --broadcast
Review the network, contract, and wallet before broadcasting; keep the testnet-only limitation; and require explicit user confirmation before sending transactions.
Running this command gives the remote installer script the ability to make changes in the user's local environment.
The setup example downloads and executes a remote installer script. This is a common developer setup pattern and purpose-aligned, but it executes code from an external source.
curl -L https://foundry.paradigm.xyz | bash && foundryup
Verify the installer source, review installation instructions from the official Foundry project, and avoid running remote shell installers in sensitive environments without review.