Warren NFT Deploy(mainnet)
v1.0.8Deploy NFT collections permanently on MegaETH mainnet. Images are stored on-chain via SSTORE2, then published through WarrenContainer and WarrenLaunchedNFT.
⭐ 0· 1.2k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (deploy on MegaETH, store images on-chain via SSTORE2) align with the included artifacts: Node script (deploy-nft.js), compiled bytecode (page & NFT), and setup.sh which installs ethers. Requiring node and a PRIVATE_KEY is appropriate for signing transactions on-chain. Contract addresses and an optional REGISTER_API are coherent with a workflow that publishes the deployed collection to thewarren.app launchpad.
Instruction Scope
SKILL.md instructs only to run setup.sh and then run deploy-nft.js with your PRIVATE_KEY and options. It documents interactions with MegaETH RPC and an external registration endpoint (REGISTER_API). That registration step is plausible for publishing a mint page, but it is the primary area to review for data sharing: check whether the code posts only public collection IDs/contract addresses or also transmits private data (the posted code snippet didn't show the registration code in full).
Install Mechanism
There is no formal install spec in the registry, but the package includes a setup.sh that runs npm install ethers (npm is a well-known registry). This is a low-to-moderate risk install path (pulls dependencies from npm into node_modules). No downloads from obscure URLs or archives were observed in the provided files.
Credentials
The skill requires PRIVATE_KEY (declared as primaryEnv) and optionally RPC_URL and other MegaETH-related addresses — all directly relevant to deploying and registering on-chain NFTs. The number and type of env vars is proportionate. Important caution: a wallet private key is sensitive; verify the code does not leak it to any external endpoint before using.
Persistence & Privilege
The skill is not always-enabled and does not request system-level config paths. It is user-invocable and can run autonomously per platform defaults; this is expected for skills. No evidence it modifies other skills or global agent settings.
Scan Findings in Context
[base64-block] expected: The SKILL.md and included bytecode/JSON contain large blocks of hex/bytecode and long strings; the scanner flagged base64-like blocks inside SKILL.md. This is likely a false positive tied to embedded compiled bytecode/metadata, not an attempt at prompt injection, but you should still inspect the SKILL.md and code for any suspicious embedded payloads.
Assessment
This skill appears to do what it says: it bundles Node code and compiled bytecode to deploy on MegaETH and requires a PRIVATE_KEY so it can sign transactions. Before using with a valuable wallet, do the following: 1) Manually review deploy-nft.js (search for any HTTP requests that send sensitive data) and confirm REGISTER_API POSTs only public data (contract addresses, token ids, metadata) and not your private key or raw images unless you intend that. 2) Prefer running on a burner/test wallet or small fund first to confirm behavior and gas estimates. 3) Inspect thewarren.app endpoint (REGISTER_API) and the referenced GitHub repo (metadata lists a source URL) to verify the operator/trustworthiness. 4) Note setup.sh runs npm install — run it in an isolated directory or container to avoid polluting your environment. 5) If you are uncomfortable, ask the skill publisher for audited source or run the scripts against a testnet or forked node first.Like a lobster shell, security has layers — review code before you run it.
latestvk97eswqnt1brpncd33w8zexxex81ghem
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
Any binnode
EnvPRIVATE_KEY
Primary envPRIVATE_KEY