ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawcontract

AI-powered smart contract generator, analyzer, and deployer for BNB Chain (BSC/opBNB). Use when you need to generate Solidity from natural language, run secu...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 568 · 1 current installs · 1 all-time installs
bycvpfus@sufnoobzac
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (clawcontract), install spec (npm package), and required env vars (AI API key, private key for deploy, BscScan API key for verification) all align with a CLI that generates, analyzes, deploys, and verifies contracts on BNB chains. Minor metadata inconsistency: the registry primary credential field is 'none' while CLAWCONTRACT_PRIVATE_KEY is listed in requires.env, but this is a documentation/metadata mismatch rather than a functional mismatch.
Instruction Scope
SKILL.md is an instruction-only CLI wrapper that stays within scope: it runs clawcontract commands, writes generated source to ./contracts/, and stores deployment metadata in .deployments/. Notable agent-impacting behaviors: the full pipeline can auto-fix generated code (up to 3 attempts) and deploys automatically (no interactive blocking prompt for mainnet), which means an agent with access to a funded private key can perform live transactions without interactive confirmation. The README provides flags (--skip-deploy, --skip-fix) to reduce this risk.
Install Mechanism
Install uses an npm package named 'clawcontract' which creates the expected binary. This is a standard package install mechanism; it is traceable on npm/GitHub rather than pulling arbitrary archives from unknown hosts. As with any npm package, users should verify the package provenance and review the package contents before installation.
Credentials
The three required env vars (OPENROUTER API key for AI generation, PRIVATE_KEY for signing deployments, BSCSCAN API key for verification) are proportionate to the stated features. The PRIVATE_KEY is highly sensitive — only provide it when you intend to deploy, and prefer testnet or throwaway keys for trials. The metadata omission of a declared primary credential is a minor inconsistency.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. It writes files only to local contract and deployments paths described in SKILL.md. Autonomous invocation is allowed but is the platform default; combined with the required PRIVATE_KEY this gives the agent the ability to sign transactions, which is expected for a deployer CLI.
Assessment
This skill appears to do what it claims, but take these precautions before installing or running it: 1) Do not supply a funded mainnet private key unless you intentionally want the agent to be able to deploy live contracts — use testnet or throwaway keys for initial experiments. 2) Review the npm package source (https://github.com/cvpfus/clawcontract and the package contents) before npm installing to confirm there are no surprises. 3) If you want to prevent accidental deploys or automated code changes, run commands with --skip-deploy and/or --skip-fix when invoking the 'full' pipeline. 4) Treat CLAWCONTRACT_PRIVATE_KEY as highly sensitive (store it securely and avoid putting it in broad CI/CD environments). 5) Note the metadata minor inconsistency (primary credential not declared) — this is likely harmless but worth being aware of.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.8
Download zip
latestvk979678n18e8j38ehgq3wwxym58158x2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsclawcontract
EnvCLAWCONTRACT_OPENROUTER_API_KEY, CLAWCONTRACT_PRIVATE_KEY, CLAWCONTRACT_BSCSCAN_API_KEY

Install

Install clawcontract (npm)
Bins: clawcontract
npm i -g clawcontract

SKILL.md

ClawContract

Generate, analyze, deploy, and verify smart contracts on BNB Chain via CLI.

Source & install: https://github.com/cvpfus/clawcontract — clone the repo, run pnpm install && pnpm build && npm link.

Quick Start

Generate a contract:

clawcontract generate "escrow contract for peer to peer trades with dispute resolution and timeout auto release"

Full pipeline (generate → analyze → deploy → verify):

clawcontract full "escrow contract for peer to peer trades with dispute resolution and timeout auto release" --chain bsc-testnet

Deploy an existing contract:

clawcontract deploy ./contracts/VibeToken.sol --chain bsc-testnet

Interact with a deployed contract:

clawcontract interact 0xABC... name --chain bsc-testnet

List deployment records:

clawcontract list
clawcontract list --chain bsc-testnet

Delete a deployment record:

clawcontract delete 0xABC...def

References

  • Full command reference (all flags, examples, notes): See {baseDir}/references/commands.md

Supported Chains

KeyChainTestnet
bsc-mainnetBNB Smart ChainNo
bsc-testnetBNB Smart Chain TestnetYes
opbnb-mainnetopBNBNo
opbnb-testnetopBNB TestnetYes

Default: bsc-testnet.

Env Vars

Configure via docker-compose.yml or set directly in the environment.

VariableRequiredPurpose
CLAWCONTRACT_OPENROUTER_API_KEYYesAI contract generation
CLAWCONTRACT_PRIVATE_KEYFor deployWallet for deployment — must be supplied by user
CLAWCONTRACT_BSCSCAN_API_KEYFor verifyContract verification on BscScan/opBNBScan
CLAWCONTRACT_OPENROUTER_MODELNoModel override (default: anthropic/claude-sonnet-4-20250514)

Artifacts

The CLI writes the following files to disk during normal operation:

PathWhenContents
contracts/*.solgenerate, fullGenerated Solidity source
.deployments/*.jsondeploy, fullDeployment metadata (address, chain, tx hash)

Safety

  • No auto-generated keys. CLAWCONTRACT_PRIVATE_KEY must be explicitly provided by the user via environment variable. The CLI will not generate or persist a private key on its own.
  • Mainnet warning (non-blocking). Deployment to mainnet chains prints a bold warning about real costs but does not block on a prompt — the deploy proceeds automatically. This is by design: the CLI targets agent-driven pipelines where stdin is unavailable. Users control mainnet exposure by choosing --chain explicitly (default is bsc-testnet).
  • delete confirmation prompt. delete is the sole interactive command — it shows deployment details and asks Remove this deployment? (y/N). Use --force to skip the prompt (agent-friendly). This is safe because delete only removes local metadata; it cannot affect on-chain state.
  • Automatic fix attempts. During full, if high-severity issues are found the AI attempts to fix and re-analyze (up to 3 rounds). This means the agent may modify generated source before deploy. Mitigations:
    • Use --skip-fix to disable auto-fix entirely.
    • Use --skip-deploy to review the final source and analysis before any on-chain action.
    • Fixes only target the generated file in contracts/; no other files are modified.
  • Accidental live-deploy risk. Because CLAWCONTRACT_PRIVATE_KEY is mandatory for deploy and the default chain is bsc-testnet, accidental mainnet deploys require the user to both set a funded mainnet key and explicitly pass --chain bsc-mainnet or --chain opbnb-mainnet. Neither can happen silently.
  • Prefer testnet chains and throwaway keys for initial trials.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…