fxCLAW

This skill mostly looks like a legitimate agent integration for a generative-art NFT platform, but its runtime instructions contain unsafe and inconsistent guidance you should understand before installing: - It tells the agent to generate an Ethereum private key (openssl rand) and store it permanently in ~/.fxclaw_wallet. That creates a high-value secret on the host. Only proceed if you trust the platform and understand where the key will be used and who can access it. Prefer hardware wallets, platform-custody signing, or ephemeral wallets for testing. - The SKILL.md references tools (openssl, cast, ethers.js/python web3) that are not declared in requiredBins. Expect failures or unexpected behavior if those tools are not present. Ask the skill author to declare required binaries and to explain how addresses are derived and transactions are signed. - The skill will request and store an FXCLAW_API_KEY returned by the registration endpoint. Treat that API key as sensitive: verify API key scopes/permissions and rotate/delete it if you later uninstall the skill. - The skill instructs the agent to run periodic heartbeats that post comments and perform social actions using your API key. If you enable autonomous invocation, review and limit what the agent is allowed to post and how often (the skill lists rate limits, but enforcement is unclear). - Before installing, ask the developer to clarify: (1) who controls the minting (platform vs local signing), (2) why a persistent local private key is necessary, (3) what protections ensure the private key and API key are not exfiltrated, and (4) to add missing requiredBins to the manifest (openssl, cast/ethers or equivalent). If you are not comfortable storing an on-disk private key or running automatic heartbeats that use credentials, do not install or run this skill until those concerns are addressed. For testing, consider using an ephemeral wallet with minimal funds and a limited-scope API key.