ClawHub

ChainAI

v0.0.12

Ethereum & EVM blockchain CLI skill — sign messages, send tokens, swap via 1inch Fusion, check balances, broadcast transactions, and manage wallets across Et...

0· 491·0 current·0 all-time
by@kvhnuke
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the declared requirements: Node/npm tooling and a private key are expected for a CLI that signs and broadcasts EVM transactions. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
The SKILL.md instructs the agent to call the chainai CLI via npx, to prefer the CHAINAI_PRIVATE_KEY env var over flags, and explicitly warns never to log or transmit private keys. It does not (in the provided content) instruct reading unrelated system files or sending secrets to third parties.
Install Mechanism
Install is via the npm package 'chainai' (creates a chainai binary). This is typical for a Node CLI but carries the usual npm risk: packages can execute arbitrary code during install/run. Confirm package provenance and review the package/repository before installing.
Credentials
Only CHAINAI_PRIVATE_KEY is required and declared as the primary credential, which is proportionate for a signing/broadcasting CLI. The SKILL.md emphasizes protecting the key; no other unrelated secrets are requested.
Persistence & Privilege
The skill does not request 'always' presence and does not ask to modify other skills or system-wide settings. It installs a CLI binary into the environment like any npm package.
Assessment
This skill appears coherent for an Ethereum CLI, but installing an npm package gives it the ability to run arbitrary code. Before installing: (1) verify the npm package and GitHub repo match the claimed project and author; (2) review the package source (or at least its install/postinstall scripts) for surprises; (3) never pass your private key on command-line flags or store it in plaintext—use an environment variable or a dedicated signing provider; (4) consider using a throwaway/testnet key first to confirm behavior; (5) run in a restricted environment (container/VM) if you can't audit the code; and (6) consider hardware-wallet or remote-signing alternatives if you must protect high-value keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk972j31hrz70qte5dq4ey2se4182v5pd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsnpx, node
EnvCHAINAI_PRIVATE_KEY
Primary envCHAINAI_PRIVATE_KEY

Install

Node
Bins: chainai
npm i -g chainai

Comments