Qelt Contracts
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent and purpose-aligned, but users should review any verification submission because contract source becomes public and optional npm tools are separate trust decisions.
This skill appears safe for its stated purpose if you intend to use QELT’s verification API. Before any POST verification request, confirm you want the contract source made public and ensure it contains no private keys, secrets, or proprietary code you do not want disclosed. Treat the optional npm plugin/CLI as separate software to review before installing.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Submitting the wrong contract source, constructor data, or files containing secrets could permanently expose that information publicly.
The skill can use curl to submit contract source code to an external verification API, and the artifact explicitly discloses that successful verification makes the source public.
curl -fsSL -X POST "https://mnindexer.qelt.ai/api/v1/verification/submit" ... "sourceCode" ... "Verification is permanent — source becomes public once verified."
Treat verification submission as an explicit approval step: check whether the contract is already verified first, review the exact source files and arguments, and remove any secrets before submitting.
If a user chooses those optional tools, they are trusting external npm packages not included in this artifact review.
The core skill is instruction-only, but the documentation suggests optional npm packages, including an unpinned @latest install and a global CLI install.
**Hardhat Plugin:** `npm install --save-dev @qelt/hardhat-verify@latest` ... **CLI Tool:** `npm install -g qelt-verify`
Install optional developer tools only if needed, verify the package provenance, and prefer pinned versions where possible.