Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Arbitrum Dapp Skill
v1.1.0Opinionated guide for building dApps on Arbitrum using Stylus (Rust) and/or Solidity. Covers local devnode setup, contract development, testing, deployment, and React frontend integration with viem. Use when starting a new Arbitrum project, writing Stylus or Solidity contracts, deploying to Arbitrum, or building a frontend that interacts with Arbitrum contracts.
⭐ 0· 1.8k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Arbitrum dApp guidance for Stylus/Solidity + frontend) align with the included README, SKILL.md, and reference docs. Required environment/config fields are none and the files only recommend standard dev env variables (PRIVATE_KEY, ARBISCAN_API_KEY) you would expect for deployments. There are no unrelated credentials, binaries, or operations requested that would be disproportionate to a dApp development guide.
Instruction Scope
SKILL.md and references describe running local devnode (docker), Foundry, cargo-stylus, and frontend code; they instruct use of PRIVATE_KEY and ARBISCAN_API_KEY for deployments (standard). The docs include the nitro-devnode's pre-funded deployer private key in references/local-devnode.md — this is the expected, well-known local-dev key but must never be reused on testnet/mainnet. The Next.js proxy example POSTs RPC traffic server-side (intended to solve CORS) — normal for local development. No instructions ask the agent to access unrelated host files or to exfiltrate secrets.
Install Mechanism
There is no platform install spec; the repository includes a small install.sh that clones the GitHub repo into ~/.claude/skills and sends a single analytics POST to a goatcounter endpoint. Cloning from GitHub is expected. The analytics POST includes a visible Authorization Bearer token in the script; this appears to be a tracking token for counting installs (opt-out supported via ARBITRUM_SKILL_NO_ANALYTICS). Running arbitrary install scripts fetched over the network (README suggested curl|bash) carries the usual risk—review the script before executing.
Credentials
The skill declares no required environment variables or credentials. The documentation recommends using PRIVATE_KEY, RPC URLs, and ARBISCAN_API_KEY for deploying/verifying contracts — all are proportionate to a deployment guide. The only explicit private key present in the repo is the nitro-devnode's pre-funded local key (intended for local testing).
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. The installer writes only to the user skill directory (~/.claude/skills) and does not modify other skills or system config. The skill is user-invocable and can be invoked autonomously by the agent (platform default) — not flagged on its own.
Assessment
This skill looks coherent with its purpose (Arbitrum dApp guidance). Before installing: 1) Inspect install.sh (it does a git clone and posts a single analytics hit to arbitrum-dapp-skill.goatcounter.com; set ARBITRUM_SKILL_NO_ANALYTICS=1 to opt out). 2) Avoid running curl | bash from unknown sources unless you reviewed the script. 3) Treat the private key shown in references/local-devnode.md as a local-dev key only — never use it on testnet/mainnet. 4) If you want extra caution, manually clone the GitHub repo, review files, and install only after confirming nothing unexpected is present (no hidden network exfiltration or privileged actions).Like a lobster shell, security has layers — review code before you run it.
latestvk977qqnvtz1jzts8vshjvcwkbn80ggen
License
MIT-0
Free to use, modify, and redistribute. No attribution required.