ClawHub

OnChain Analysis

v1.0.0

Interpret on-chain behavior to reveal structural truth. Analyze token distribution, treasury structure, governance architecture, and risk vectors through ver...

0· 51·0 current·0 all-time
byMauricio Z. Filho@mzfshark
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (on-chain analysis, token distribution, treasury, governance) align with the declared footprint: no binaries, no env vars, no install. Nothing requested is disproportionate to an analysis-only skill.
Instruction Scope
SKILL.md is high-level and descriptive but contains no concrete runtime constraints (no specified APIs, endpoints, or data sources). That leaves the agent broad discretion to fetch on-chain data from third-party services or other network endpoints when invoked. This is not inherently malicious, but it is vague and grants the agent latitude to make external calls or request credentials at runtime.
Install Mechanism
No install spec and no code files—lowest-risk installation model. Nothing will be written to disk by an automated installer.
Credentials
The skill declares no required environment variables, credentials, or config paths, which is proportionate to the described purpose. Note: because instructions are unspecified, the agent may later ask the user for API keys (e.g., Etherscan, Alchemy) when performing live queries.
Persistence & Privilege
always is false and user-invocable behavior is default. The skill does not request persistent or elevated privileges beyond standard autonomous invocation (disable-model-invocation is false, which is normal).
Assessment
This skill appears internally consistent and low-risk because it is instruction-only and requests no credentials. Before installing, consider: (1) the SKILL.md is high-level and does not list where it will fetch on-chain data from—ask the publisher which APIs or RPC endpoints the skill will use; (2) there is no homepage or external source listed and the registry metadata owner differs from the internal _meta.json owner field—verify the author/maintainer if provenance matters to you; (3) although the skill itself doesn't request secrets, it may prompt you for API keys or RPC credentials at runtime to fetch on-chain data—only provide keys you trust and consider using scoped or read-only keys; (4) if you want to limit risk, disable autonomous invocation for this skill or review any runtime prompts the agent makes before supplying credentials or approving network access.

Like a lobster shell, security has layers — review code before you run it.

betavk970g9am9kj3vj1t55e3ykrf7n83zhqdlatestvk970g9am9kj3vj1t55e3ykrf7n83zhqd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments