Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
megaethss-developer
v1.0.0End-to-end MegaETH development playbook (Feb 2026). Covers Foundry project setup with MegaETH-specific config, wallet operations, token swaps (Kyber Network)...
⭐ 0· 28·0 current·0 all-time
by@szkkhh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be an end-to-end MegaETH development playbook, but the repository includes a Python 'search.py' that implements an X (Twitter) search using the xAI Grok API (API_URL=https://api.x.ai/v1/responses). That script and its functionality (searching X via x.ai) are unrelated to MegaETH development and to the SKILL.md's described capabilities. Additionally the script requires an XAI_API_KEY but the skill metadata declares no required environment variables.
Instruction Scope
SKILL.md provides detailed runtime guidance for MegaETH development (RPC methods, eth_sendRawTransactionSync, Foundry workflows, etc.) but does not reference the included search utility. The included script will read XAI_API_KEY from the environment and POST queries to api.x.ai, which means running the bundled code will transmit data (and use a secret) to an external service unrelated to the stated purpose. The instructions in SKILL.md do not disclose this network activity or the env var dependency.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or installed. However, two Python files are packaged with the skill; while that is low-install risk, including executable scripts without declaring their purpose or required credentials is still an incoherence risk.
Credentials
The packaged script requires the environment variable XAI_API_KEY to contact api.x.ai, but the skill metadata lists no required env vars or primary credential. Requesting or reading an API key for x.ai is not justified by the MegaETH-focused description. This is an undeclared credential dependency and therefore disproportionate and suspicious.
Persistence & Privilege
The skill does not request persistent privileges (always is false) and does not declare any system-wide config changes. It is user-invocable and allows model invocation by default, which is normal; nothing indicates forced persistence or modification of other skills.
What to consider before installing
This package is inconsistent: it advertises MegaETH development guidance but includes an unrelated Python script that calls the x.ai Grok API and expects an XAI_API_KEY that isn't declared. Before installing or running anything: (1) Ask the publisher/source to explain why an X search utility is bundled with a MegaETH playbook and to declare required env vars. (2) Do not run the Python scripts until you inspect them locally; they will send requests (and require an API key) to api.x.ai. (3) If you must run, do so in an isolated environment and ensure no sensitive keys (AWS, GitHub, personal tokens) are present in the environment. (4) Prefer a version from a known author/homepage or remove the unrelated scripts if they are not needed. If the author provides a clear justification and updates metadata to declare XAI_API_KEY, the incoherence would be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97ejzgz65jpdrndxk23acvdg984349y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.