Warren Website Deploy(mainnet)
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.
Install only if you intend to let the agent deploy permanent public content to MegaETH mainnet. Use a dedicated low-balance wallet, verify the RPC and contract addresses, avoid deploying private files or secrets, pin/review npm dependencies, and inspect the complete deploy.js source before trusting it with a private key. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any code using this key can authorize transactions from that wallet and spend its gas funds.
The skill requires a raw wallet private key to sign MegaETH transactions, which is expected for this deployment purpose but grants high-impact wallet authority.
`PRIVATE_KEY` | **Yes** | — | Wallet private key for signing transactions
Use a dedicated wallet with only the funds needed for deployment, avoid placing the key in chat or shell history, and rotate the key if it may have been exposed.
Running the deploy script can change wallet/account state and spend gas beyond the content deployment transaction.
If the wallet lacks the required access key, the script automatically sends an additional mint transaction before deployment.
console.log('🤖 Minting 0xRabbit.agent Key (free)...'); const tx = await botNft.mint({ gasLimit: 500000n });Confirm you want the access NFT minted, verify the contract addresses, and check your wallet balance before running deployments.
Accidentally deploying private, incorrect, or costly content could create a permanent public record and incur real gas costs.
The skill explicitly publishes data to a public blockchain where mistakes cannot be undone.
Mainnet content is permanent and immutable.
Review files and HTML carefully before deployment, never deploy secrets or private data, and consider testing with a low-value wallet first.
A future dependency version or compromised package path could change what code runs during setup.
The setup step installs the latest ethers package without a pinned version or lockfile, which is common for simple Node scripts but leaves dependency contents variable over time.
npm install ethers
Pin the ethers version, use a lockfile, and run setup in an isolated project directory from a trusted network.