Use Smart Contract Platform
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: use-smart-contract-platform Version: 0.1.0 The skill bundle provides a legitimate and well-documented interface for the Circle Smart Contract Platform, enabling contract deployment, interaction, and event monitoring. It includes explicit security instructions for the AI agent, such as requiring user confirmation for fund movements and prohibiting the hardcoding of secrets. No indicators of malicious intent, data exfiltration, or unauthorized execution were found in the code or documentation (SKILL.md, references/*.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If production Circle credentials are provided, the agent may have access needed to deploy contracts or initiate wallet-backed contract transactions.
These credentials can authorize Circle Smart Contract Platform and Developer-Controlled Wallet actions. The registry metadata declares no required env vars or primary credential, so the sensitive permission boundary is under-declared.
CIRCLE_API_KEY= # Circle API key ... ENTITY_SECRET= # Registered entity secret for Developer-Controlled Wallets
Use sandbox or testnet credentials where possible, restrict keys to the least privilege available, do not provide production entity secrets unless necessary, and require explicit user approval before any wallet write or deployment.
A wrong or unintended write call could mint tokens, change contract state, spend fees, or perform irreversible blockchain actions.
The skill documents raw ABI-based write execution through a wallet. Such calls can invoke arbitrary contract functions and spend gas, but the artifacts do not define approval checks, chain restrictions, or parameter validation safeguards.
Write calls require `walletId` and gas fee settings. ... walletClient.createContractExecutionTransaction({ ... abiFunctionSignature: "safeMint(address,uint256)" ... })Before using write features, verify the chain, contract address, ABI signature, parameters, wallet ID, fee level, and recipient, and require a human confirmation step for every deploy, mint, airdrop, or contract write.
Contract event notifications may be sent to an endpoint you control; if that endpoint is insecure, event data or webhook handling could be exposed or spoofed.
Webhook monitoring is purpose-aligned, but it creates an external data flow to a public endpoint and the artifact does not discuss webhook authentication, signature verification, or endpoint access controls.
- A public HTTPS webhook endpoint that accepts POST ... Use this flow to receive webhook notifications when a contract emits specific events
Use HTTPS endpoints with authentication or signature verification, log only what is needed, and confirm which Circle webhook destination is configured before enabling monitors.
Installing packages from npm can execute package lifecycle code and future package versions may differ from what the skill author tested.
The skill relies on user-installed npm packages. This is expected for the stated SDK integration, but versions are not pinned and no lockfile or install spec is provided in the artifacts.
npm install @circle-fin/smart-contract-platform @circle-fin/developer-controlled-wallets
Install from the official npm registry, pin package versions, use a lockfile, and review package provenance before using production credentials.