Ethereum L2 Analytics 以太坊L2分析
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The L2 analytics content is mostly coherent, but the package embeds a SkillPay API key and crypto payment verification flow that is not clearly explained in the main skill instructions.
Treat this as a review-before-install skill: the analytics materials and local scripts look mostly scoped, but verify the paid-use terms, avoid sharing wallet details unless necessary, and do not trust the payment module until the hardcoded API key and missing-file references are addressed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bundled payment credential can be misused or become invalid/compromised, and users have limited assurance about what authority it grants to the payment service.
The skill embeds a bearer-style payment API key directly in distributed code and uses it for SkillPay verification, creating unclear credential scope and rotation boundaries.
SKILLPAY_API_KEY = "sk_f03aa8f8bbcf79f7aa11c112d904780f22e62add1464e3c41a79600a451eb1d2"
Do not install until the publisher removes hardcoded secrets, rotates this key, and uses a platform-managed or clearly scoped payment credential mechanism.
A user may invoke the skill expecting only analytics and later be routed into a crypto payment flow that was not obvious from the main instructions.
The code presents a per-call crypto payment requirement, while the main SKILL.md describes analytics features and risk disclaimers but does not clearly disclose the paid-use flow.
价格: {PRICE} USDT / 次调用The publisher should disclose pricing, payment destination, refund/verification behavior, and what data is sent to SkillPay directly in SKILL.md and registry metadata.
If you provide a wallet address, it may be linked to this skill usage by the payment provider.
Payment verification sends a supplied wallet address and timestamp to an external provider endpoint at api.skillpay.io.
"user_address": user_address
Only provide a wallet address if you are comfortable sharing it with the payment provider, and prefer a payment flow with clear privacy terms.
Some advertised functionality may fail or may require unreviewed files from elsewhere if a user or agent tries to complete the missing pieces.
SKILL.md references scripts and a guide that are not included in the provided file manifest.
`scripts/tech_comparator.py` ... `scripts/bridge_analyzer.py` ... `references/airdrops.md`
Use only the files included in the reviewed package, and ask the publisher to include or remove the missing referenced files.