Opensea Skill
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could choose a broad raw API path instead of a safer, task-specific workflow, increasing the chance of unintended marketplace or transaction-building actions.
The API sub-skill presents itself as read-only and routes trading elsewhere, but also exposes a generic POST helper for any endpoint. In a bundle that supports orders, sweeps, swaps, transfers, and wallet signing, this is an overbroad escape hatch unless tightly approval-gated.
description: ... Read-only operations; for trading use opensea-marketplace ... | Any POST endpoint | `opensea-post.sh <path> <json_body>` |
Use this skill only with explicit user confirmation for any POST, purchase, swap, listing, offer, transfer, or signing step; maintainers should document an allowlist or require handoff to the narrower sub-skill workflows.
If wallet credentials are too powerful or placed in the agent environment without limits, mistaken or compromised agent actions could spend funds or sign transactions.
Wallet-provider credentials and local private keys are expected for a trading/signing skill, but they grant high-impact authority over onchain assets.
`opensea-marketplace` ... **Auth**: `OPENSEA_API_KEY` + wallet provider credentials ... `opensea-wallet` ... Supports Privy, Turnkey, Fireblocks, Bankr, and local private keys.
Use least-privilege wallet credentials, spending caps, allowlists, hot-wallet float limits, and separate administrative credentials from the agent environment.
Installing or running external CLI packages can execute code from the package source on the local machine.
The documented setup relies on external npx/npm installation paths. This is normal for this CLI-centered skill, but users should be aware of the package provenance and version they run.
npx skills add ProjectOpenSea/opensea-skill --yes ... npm install -g @opensea/cli
Install from the official OpenSea repository/package, review versions before use, and avoid running unreviewed package commands in sensitive environments.