Warren Website Deploy(mainnet)
v1.0.6Deploy websites and files permanently on MegaETH mainnet using SSTORE2. Agents use their own wallet and pay gas.
⭐ 0· 1.2k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match what the code does: deploy on MegaETH via SSTORE2 using contract creation. Required pieces (node, PRIVATE_KEY) and included artifacts (page bytecode, deploy script) are appropriate for on‑chain deployment. No unrelated services, credentials, or binaries are requested.
Instruction Scope
SKILL.md instructs running setup.sh and node deploy.js with a PRIVATE_KEY and optional RPC_URL; the runtime instructions and CLI options align with deploying HTML/files. The doc claims limited file access and only the RPC endpoint is contacted; the included deploy.js uses an ethers JsonRpcProvider and the page bytecode module and does not reference other network endpoints in the visible code.
Install Mechanism
There is no formal install spec, but setup.sh runs 'npm install ethers' which is expected for a Node script. This pulls code from the npm registry (standard but moderate risk); no obscure download URLs or archived extracts are used. Users should audit package install and run setup.sh manually.
Credentials
Only PRIVATE_KEY is required (plus optional RPC_URL/chain/configs). Requesting the wallet private key is proportionate to producing signed transactions. No additional unrelated secrets or config paths are requested.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide persistence. It executes user-invoked scripts and deploys contracts under the supplied wallet; nothing in the package attempts to modify other skills or global agent settings.
Scan Findings in Context
[base64-block] unexpected: A prompt-injection pattern (base64 block) was detected inside SKILL.md. There is no visible need for base64-encoded payloads in a deployment README; this may be a false positive or leftover content. It does not match the expected deployment behavior and is worth a quick manual check of SKILL.md for hidden/encoded content before trusting the skill.
Assessment
This skill appears to do what it says: create on‑chain contracts containing your content and mint a record on MegaETH. Before using it on mainnet: 1) Review the full deploy.js file (the package is included) to ensure nothing logs or transmits your PRIVATE_KEY (the code shown does not). 2) Run setup.sh and the script in an isolated directory and inspect installed npm modules (npm install ethers is expected). 3) Prefer using a throwaway wallet with minimal funds for initial tests; do not expose a production key. 4) Verify the contract addresses and RPC endpoint on an independent block explorer and the project's upstream repo (SKILL.md claims a GitHub source and thewarren.app homepage) before trusting minting behavior. 5) Investigate the SKILL.md base64-block flag (search for encoded blocks) to ensure there is no hidden payload or instructions. If you want higher assurance, test on a MegaETH testnet or with very small amounts of ETH first.Like a lobster shell, security has layers — review code before you run it.
latestvk977mt2f2p4swcybybwba2yv3981gpnk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⛓️ Clawdis
Any binnode
EnvPRIVATE_KEY
Primary envPRIVATE_KEY