ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Etherlink Skill

v1.0.0

Etherlink blockchain interaction - EVM-compatible L2 on Tezos. Supports mainnet and shadownet testnet via MCP server. Use for balance checks, transactions, smart contracts, and token operations on Etherlink.

4· 1.6k·0 current·0 all-time
by@efekucuk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Etherlink blockchain interaction) matches the included docs, network references, and test script. The skill's instructions focus on configuring an MCP server and using Etherlink RPCs which is coherent for the stated purpose. Minor concerns: the repository source is unknown and the references point to an unverified 'yourusername/etherlink-mcp-server' GitHub path and external domains (node.*.etherlink.com), so provenance is unclear.
Instruction Scope
SKILL.md stays mostly within expected scope (balance, txs, contracts, network selection). It explicitly instructs adding a PRIVATE_KEY/EVM_PRIVATE_KEY environment variable to the MCP configuration for write operations — which is expected for a wallet-like integration but is sensitive. The docs also instruct running remote packages (npx) or local builds; the guidance does not tell the agent to read unrelated system files or exfiltrate data, but it could cause the agent or user to place secret keys into a process environment that will run third-party code.
!
Install Mechanism
The skill itself has no install spec, but the included MCP setup docs recommend using 'npx -y etherlink-mcp-server' or cloning/running code (bun run). Using npx (or running an unverified GitHub-sourced server) executes code from external registries/hosts and can run arbitrary code. Because the upstream package/source is unverified here and no official homepage/repository is provided, this is a notable risk.
Credentials
The skill does not declare required env vars in metadata, which is correct for an instruction-only skill. However SKILL.md and mcp-setup.md explicitly recommend setting PRIVATE_KEY / EVM_PRIVATE_KEY in MCP server env for write operations. Requesting a signing key is proportionate to sending transactions, but storing private keys in MCP config or passing them to npx-run servers is sensitive and should be minimized (use read-only mode, hardware wallets, or ephemeral keys for testing).
Persistence & Privilege
No always:true flag, no installs that modify other skills or system-wide settings. The skill is instruction-only plus a small test script and reference docs; it does not request elevated platform privileges in its metadata.
What to consider before installing
This skill appears to be what it says — documentation and a small test script for interacting with an Etherlink RPC — but exercise caution before you run or install any related MCP server code. Specific actions to take before installing/using: - Verify origin: ask the publisher for a canonical homepage or repository. Do not run npx or clone/run code from an untrusted/unknown package. - Audit server code: if you plan to run an MCP server, fetch its source (git) and review it locally before running. Avoid 'npx -y' for untrusted packages. - Protect private keys: never place a high-value private key into a third-party MCP config you haven't audited. Use read-only mode for routine queries; use an ephemeral or testnet key for experiments. - Prefer running your own RPC or MCP instance behind your control to avoid sending sensitive signing material to remote code. - Test on Shadownet first and confirm RPC endpoints (node.*.etherlink.com) are legitimate and reachable. If you cannot verify the upstream package/repository or inspect the MCP server source, treat the recommended install commands (npx, remote builds) as a significant risk and avoid providing real private keys.

Like a lobster shell, security has layers — review code before you run it.

blockchainvk979qaqpgab4g3s6xt115n68rs80dwk8cryptovk979qaqpgab4g3s6xt115n68rs80dwk8etherlinkvk979qaqpgab4g3s6xt115n68rs80dwk8evmvk979qaqpgab4g3s6xt115n68rs80dwk8latestvk979qaqpgab4g3s6xt115n68rs80dwk8tezosvk979qaqpgab4g3s6xt115n68rs80dwk8web3vk979qaqpgab4g3s6xt115n68rs80dwk8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments