sol-bsc-dev-monitor-skill
Security checks across malware telemetry and agentic risk
Overview
The monitor mostly matches its stated purpose, but it embeds a live billing API key and payment-charge logic that users should review carefully before installing.
Review the billing implementation before installing. The monitor code does not show private-key use or automatic trading, but the packaged source contains a hardcoded SkillPay API key and charge logic, and the package appears incomplete for npm-based execution.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A billing credential is exposed in the skill package, and the skill includes code that can deduct paid tokens before monitoring.
The skill ships a hardcoded billing credential and uses it to call a charge endpoint for a supplied user ID and amount.
const API_KEY = 'sk_f072...b5'; ... fetch(`${BILLING_API_URL}/charge`, { method: 'POST', headers: { 'X-API-Key': API_KEY }, body: JSON.stringify({ user_id: userId, skill_id: SKILL_ID, amount }) })Do not install until the publisher moves billing credentials server-side or into a protected platform mechanism, and verify exactly when charges occur.
Users could misunderstand the claim as meaning the skill has no cost or financial impact, even though billing charges are part of the workflow.
The security wording emphasizes zero financial risk while the same artifacts document paid token deductions for monitoring.
✅ Zero financial risk ... No spending of funds ... Tokens are deducted before monitoring
Treat the safety claim as only meaning no automatic crypto trades; confirm pricing and charge timing before use.
The runnable package and dependency provenance are incomplete in the reviewed artifacts, so users may not be able to verify or reproduce the intended execution path.
The docs ask users to install/run Node code and reference index.js, but the provided manifest does not include package.json, a lockfile, or index.js.
npm install ... node index.js '{"action":"balance","userId":"your-user-id"}'Ask the publisher to include the full package manifest, lockfile, and referenced entrypoint before running npm or node commands.
Running the skill executes local JavaScript that writes logs and makes outbound network requests.
The skill is operated by running local Node.js scripts; this is expected for the monitor, but it means local code executes with the user's file and network permissions.
node index-sol-safe.js monitor <ADDRESS> SOL <DURATION> ... node index-bsc.js monitor <ADDRESS> BSC <DURATION>
Run it only in a directory/account where local log writes and outbound RPC/billing calls are acceptable.
The stored files may reveal which wallets or tokens the user is monitoring, even though the blockchain data itself is public.
The skill persistently stores monitoring logs and detection history, including watched addresses and transaction details.
Data Stored Locally: `logs-sol/sol-monitor.log` ... `detections-sol/detections.json` ... `detections-bsc/detections.json`
Treat logs and detection files as potentially sensitive research history and delete or protect them when needed.