Bsc Dev Monitor Skill

Anyone with the package could potentially abuse the exposed ClawHub account, and running the deployment script would use credentials unrelated to normal wallet monitoring.

The artifact contains an actual hardcoded ClawHub login password, redacted here, and the script uses it to authenticate and upload a skill.

The payment key could be copied from the skill and misused for billing-related API calls or leaked through URLs/logs.

A SkillPay API key is embedded in runtime code and is also placed into generated payment-link query data, exposing payment-provider authority to anyone who can inspect or receive the package/output.

Users may agree to the skill expecting one price or billing mode and encounter different billing behavior.

The runtime code references 0.01 USDT and a per-detection default, while SKILL.md advertises 0.001 USDT per call, making the actual charge behavior ambiguous.

Running deployment helpers could change the local environment or publish/upload code unintentionally.

The deployment helper can install a global package and publish the current directory if a user or agent runs it, though no install spec indicates it runs automatically.

A monitor may keep polling and sending notifications until its duration expires or it is stopped.

Creating a monitor starts a repeated background loop. This is purpose-aligned and SKILL.md documents duration/stop controls, but users should notice that monitoring can continue over time.

The configured webhook endpoint can learn which addresses/tokens you monitor and when detections occur.

The skill supports automatic webhook notifications to a user-supplied URL, which is expected for alerts but sends monitored-event data outside the skill.