Ethereum
Assist with Ethereum transactions, gas optimization, token approvals, and L2 bridges.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 2 · 975 · 4 current installs · 4 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The SKILL.md content (nonces, EIP-1559 gas, token approvals, L2 bridging, MEV, address validation) directly matches the name and description. There are no unrelated required binaries, env vars, or config paths.
Instruction Scope
Instructions are purely advisory and reference reputable third-party services (etherscan, revoke.cash, Tenderly, Flashbots). They do not instruct the agent to read local files, environment variables, or send data to unexpected endpoints. Note: the guidance recommends using external RPC/relay services (e.g., protect.flashbots.net), which is expected for MEV protection but means transactions could be routed through those third parties—users should be aware of privacy/trust tradeoffs.
Install Mechanism
No install spec and no code files (instruction-only). Nothing is written to disk and no third-party packages are pulled.
Credentials
The skill requests no environment variables, credentials, or config paths; this is proportionate to an advisory skill about Ethereum usage.
Persistence & Privilege
always is false and the skill is user-invocable. The skill does not request permanent presence or access to other skills' configs.
Scan Findings in Context
[no-findings] expected: The regex scanner found nothing because this is an instruction-only skill with no code files. That absence is expected for a text guidance skill, but does not prove safety beyond content review.
Assessment
This skill is a text-only advisor about Ethereum operations and appears internally consistent. Before installing: do not provide private keys or wallet mnemonics to any skill; test any procedural advice (nonce replacement, approvals, bridging) on small amounts first; verify third-party endpoints (etherscan, revoke.cash, Tenderly, Flashbots) you use are the official domains; understand that sending transactions through third-party RPC/relay services has privacy/trust implications. If the skill later adds code, install steps, or requests credentials, stop and re-evaluate because those would materially change the risk profile.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⟠ Clawdis
OSLinux · macOS · Windows
SKILL.md
Nonce and Stuck Transactions
- Every Ethereum account has a nonce that increments with each transaction — if tx with nonce 5 is pending, nonces 6+ are blocked until 5 confirms
- To unstick: send a new tx with the SAME nonce and higher gas — this replaces the pending tx (even a 0 ETH self-transfer works)
- MetaMask "Speed up" and "Cancel" buttons do exactly this — they resubmit with same nonce and higher priority fee
- Nonce gaps cause permanent stuck state — if nonce 3 was never broadcast but 4 was, 4 will never confirm until 3 is sent
Gas (EIP-1559)
maxFeePerGas= max total you'll pay per gas unit.maxPriorityFeePerGas= tip to validator.baseFee= burned, set by protocol- Actual cost:
min(baseFee + priorityFee, maxFee) × gasUsed— unused gas is refunded, but failed txs still consume gas - Gas limit is separate from gas price — setting limit too low causes "out of gas" revert, but you still pay for gas used up to that point
- Check current base fee at etherscan.io/gastracker or via
eth_gasPriceRPC — wallets often overestimate by 20-50%
Token Approvals (Critical Security)
- ERC-20
approve()grants a contract permission to spend your tokens — many dApps request unlimited (type(uint256).max) approval - If that contract gets hacked, attacker can drain all approved tokens even years later — audit approvals at revoke.cash
- Recommend users approve only the exact amount needed, or revoke after each use
- Approvals persist forever until explicitly revoked — changing wallets doesn't help if the old address still has tokens
Failed Transactions
- A reverted transaction is mined and consumes gas — you pay even though nothing happened
- Common causes: slippage exceeded, deadline passed, insufficient token balance, contract paused
- "Transaction failed" in explorer means it executed but reverted — completely different from "pending" (not yet mined)
- Simulating transactions before sending (via Tenderly or wallet preview) catches most revert conditions
L2 Bridges and Withdrawals
- Optimistic rollups (Optimism, Arbitrum, Base) have 7-day withdrawal period to mainnet — this is not a bug, it's the security model
- ZK rollups (zkSync, Starknet) have faster finality but bridging back still takes 1-24 hours depending on liquidity
- Third-party bridges (Hop, Across) offer faster exits but charge fees and have smart contract risk
- Never bridge more than you can afford to wait 7 days for — or use a fast bridge and accept the fee
MEV Protection
- Public mempool transactions can be frontrun or sandwiched — especially swaps on DEXs
- Flashbots Protect RPC (protect.flashbots.net) hides transactions from public mempool until mined
- Private transaction options: MEV Blocker, Flashbots Protect, or DEXs with native protection (CoW Swap)
- Signs of sandwich attack: swap executed at worse price than quoted, with suspicious txs immediately before and after yours
Address Validation
- Ethereum addresses are case-insensitive but the checksum (mixed case) catches typos —
0xABC...vs0xabc...are the same address - ENS domains can expire — always verify current owner before sending to a .eth name
- Contract addresses vs EOA: contracts can reject ETH transfers or behave unexpectedly — check on etherscan if address has code
- Some tokens have multiple addresses (official + scam clones) — verify contract address on CoinGecko or project's official site
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…