ClawHub

Qelt Indexer

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill is mainly a public QELT blockchain lookup guide, with no code or credentials, but users should notice its external API calls and a reference to POST contract-verification endpoints.

This appears safe for ordinary public QELT blockchain lookups. Before installing, understand that queries go to qelt.ai, and do not allow contract-verification POST actions or source-code submission unless you explicitly want that.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

Wallet addresses, transaction hashes, block IDs, or similar query terms may be sent to the QELT indexer service.

Why it was flagged

The skill relies on shell/curl calls to an external QELT API. This is disclosed and central to the stated lookup purpose, but it is still a tool/network capability users should keep scoped.

Skill content
allowed-tools: Bash(qelt-indexer:*) ... curl -fsSL "https://mnindexer.qelt.ai/v1/blocks/latest"
Recommendation

Use it for public QELT blockchain identifiers, and review carefully if the agent proposes commands outside the documented QELT API domains or outside the requested lookup.

#ASI09: Human-Agent Trust Exploitation
Low
What this means

A user could incorrectly assume every referenced endpoint is read-only, when contract verification would involve submitting data to the external service.

Why it was flagged

These documented POST submission endpoints are outside the main GET-only workflows and conflict with the SKILL.md safety framing that the API is read-only with no write operations.

Skill content
POST | `/api/v1/verification/submit` | Single-file verification ... POST | `/api/v1/verification/submit-multi` | Multi-file verification
Recommendation

Treat contract verification as a separate data-submission action requiring explicit user intent, and avoid sending private or sensitive source code unless that is clearly desired.