Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ethereum Read Only
v1.0.0Foundry castを使用したウォレット不要のオンチェーン状態読み取り
⭐ 0· 1.5k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (read-only Ethereum queries via Foundry cast) matches the instructions. However the registry metadata declares no required environment variables or binaries while the instructions explicitly rely on ETH_RPC_URL/POLYGON_RPC_URL/ARB_RPC_URL (API keys or public RPC URLs) and on tools such as cast, jq, bc — a mismatch between declared requirements and actual needs.
Instruction Scope
SKILL.md instructs installing Foundry and exporting RPC environment variables (modifying ~/.bashrc), and contains many example scripts that call cast, jq, bc, date, etc. The instructions do not access unrelated system areas or other credentials, but they assume the presence of several binaries and they encourage running a remote installer and editing shell config without declaring those requirements.
Install Mechanism
There is no formal install spec in the registry; the SKILL.md tells the user to run curl -L https://foundry.paradigm.xyz | bash and foundryup. That URL is the official Foundry installer host (paradigm's installer), which is common practice but still executes a remote script. Because the skill is instruction-only, the platform won't manage or vet that install — the user should inspect the installer before running it.
Credentials
The instructions require RPC endpoints/API keys (Alchemy or other RPC providers) which are effectively credentials, but the skill metadata declares no required env vars or primary credential. This omission is significant: users may provide secrets without the platform treating them as sensitive, and the skill may reference credentials that were not communicated as needed.
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). The SKILL.md suggests adding exports to ~/.bashrc, which modifies shell profile, but the skill does not request persistent system-wide privileges or modify other skills. No 'always:true' or other escalations are present.
What to consider before installing
This skill appears to be a straightforward guide for read-only Ethereum queries using Foundry/cast, but metadata and README disagree on what the agent/user must provide. Before installing or running anything: (1) Inspect the Foundry installer script (https://foundry.paradigm.xyz) rather than blindly running curl | bash. (2) Note that the SKILL.md expects ETH_RPC_URL (and similar RPC keys) — treat those as secrets (API keys) and do not paste them into public places; the registry did not mark them as required so platform protections may not apply. (3) Ensure you have jq, bc, cast (Foundry), and other CLI tools available; the registry lists no required binaries. (4) If you prefer extra safety, use a public rate-limited RPC (e.g., rpc.ankr.com) or run your own node instead of supplying a paid Alchemy/Infura key. (5) If you want to install this skill in an automated agent, ask the author to update metadata to declare required env vars and binaries, and to provide an install spec or vetted release URL to avoid running unreviewed remote scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk975axh3jbvy6f7he2gcbttk1n80fsq5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.