ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qelt Contracts

v0.1.0

Verify, inspect, and retrieve verified Solidity smart contracts, ABIs, and compiler/EVM versions on the QELT blockchain using the Mainnet Indexer API.

0· 276·0 current·0 all-time
by@prqelt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim verification and ABI retrieval on QELT; SKILL.md only documents HTTP calls to the mnindexer.qelt.ai verification API and related helper commands. No unrelated permissions, binaries, or secrets are requested.
Instruction Scope
Instructions are narrowly scoped to querying/verifying contracts, polling job status, and fetching compiler/EVM lists. They explicitly warn not to submit private keys and instruct checking verification state before submitting to avoid wasting rate-limited submissions.
Install Mechanism
This is instruction-only (no install spec, no code to write). All example calls use curl against a documented API endpoint; nothing is downloaded or executed by the skill itself.
Credentials
The skill declares no required environment variables or credentials (appropriate). One minor inconsistency: SKILL.md metadata mentions 'bins': ['curl'] (i.e., expects curl on PATH) while the registry-level 'Required binaries' list is empty — this is operational/sloppiness rather than a security mismatch. No secrets are requested.
Persistence & Privilege
Skill is not marked always:true and requests no persistent credentials or config changes. It allows autonomous invocation by default (platform default) but this is proportionate to its functionality.
Assessment
This skill looks coherent: it instructs the agent how to talk to the QELT Mainnet Indexer and does not request credentials or install code. Before using it, verify you trust the domain (https://mnindexer.qelt.ai), and never submit source code that contains private keys, secrets, or other sensitive data (the skill itself warns of this). Note the small metadata inconsistencies: SKILL.md expects curl on PATH and _meta.json contains placeholder ownerId — these suggest the package may be a community/templated submission, so if you need higher assurance, confirm the skill's publisher or use the API manually (curl) rather than delegating sensitive code to an automated agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk970q1nq8sahcn37pepmvw7c6182djy8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments