Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
clawcontract
v1.0.8AI-powered smart contract generator, analyzer, and deployer for BNB Chain (BSC/opBNB). Use when you need to generate Solidity from natural language, run secu...
⭐ 0· 706·1 current·1 all-time
bycvpfus@sufnoobzac
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binary (clawcontract), install spec (npm package), and required env vars (AI API key, private key for deploy, BscScan API key for verification) all align with a CLI that generates, analyzes, deploys, and verifies contracts on BNB chains. Minor metadata inconsistency: the registry primary credential field is 'none' while CLAWCONTRACT_PRIVATE_KEY is listed in requires.env, but this is a documentation/metadata mismatch rather than a functional mismatch.
Instruction Scope
SKILL.md is an instruction-only CLI wrapper that stays within scope: it runs clawcontract commands, writes generated source to ./contracts/, and stores deployment metadata in .deployments/. Notable agent-impacting behaviors: the full pipeline can auto-fix generated code (up to 3 attempts) and deploys automatically (no interactive blocking prompt for mainnet), which means an agent with access to a funded private key can perform live transactions without interactive confirmation. The README provides flags (--skip-deploy, --skip-fix) to reduce this risk.
Install Mechanism
Install uses an npm package named 'clawcontract' which creates the expected binary. This is a standard package install mechanism; it is traceable on npm/GitHub rather than pulling arbitrary archives from unknown hosts. As with any npm package, users should verify the package provenance and review the package contents before installation.
Credentials
The three required env vars (OPENROUTER API key for AI generation, PRIVATE_KEY for signing deployments, BSCSCAN API key for verification) are proportionate to the stated features. The PRIVATE_KEY is highly sensitive — only provide it when you intend to deploy, and prefer testnet or throwaway keys for trials. The metadata omission of a declared primary credential is a minor inconsistency.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. It writes files only to local contract and deployments paths described in SKILL.md. Autonomous invocation is allowed but is the platform default; combined with the required PRIVATE_KEY this gives the agent the ability to sign transactions, which is expected for a deployer CLI.
Assessment
This skill appears to do what it claims, but take these precautions before installing or running it: 1) Do not supply a funded mainnet private key unless you intentionally want the agent to be able to deploy live contracts — use testnet or throwaway keys for initial experiments. 2) Review the npm package source (https://github.com/cvpfus/clawcontract and the package contents) before npm installing to confirm there are no surprises. 3) If you want to prevent accidental deploys or automated code changes, run commands with --skip-deploy and/or --skip-fix when invoking the 'full' pipeline. 4) Treat CLAWCONTRACT_PRIVATE_KEY as highly sensitive (store it securely and avoid putting it in broad CI/CD environments). 5) Note the metadata minor inconsistency (primary credential not declared) — this is likely harmless but worth being aware of.Like a lobster shell, security has layers — review code before you run it.
latestvk979678n18e8j38ehgq3wwxym58158x2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsclawcontract
EnvCLAWCONTRACT_OPENROUTER_API_KEY, CLAWCONTRACT_PRIVATE_KEY, CLAWCONTRACT_BSCSCAN_API_KEY
Install
Install clawcontract (npm)
Bins: clawcontract
npm i -g clawcontract