ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Setup Local Anvil Testnet

v0.1.0

Spin up a local Anvil testnet with Uniswap deployed and pre-seeded liquidity. One command gives you a full development environment with funded accounts, real Uniswap pools, and zero gas costs. Use when developing, testing, or demoing Uniswap agent workflows.

0· 768·0 current·0 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes starting an Anvil fork, seeding accounts and Uniswap pools, and returning RPC URL/contract addresses/private keys. The skill is instruction-only and expects an MCP tool (mcp__uniswap__setup_local_testnet) to perform the actual work — this is consistent with a wrapper/orchestration skill.
Instruction Scope
Instructions stay within the stated purpose (check Anvil, parse parameters, call the MCP tool, format results). They will present private keys and funded account details to the user (expected for a local testnet). The document also suggests running the Foundry install command (curl ... | bash) if Anvil is missing — that is an out-of-band installation step the user should consider carefully.
Install Mechanism
This is instruction-only (no install spec, no code files to execute). README points to adding the skill via npx/clawhub; the SKILL.md itself does not install arbitrary binaries. The only external install the instructions reference is the standard Foundry installer (curl pipe to bash), which is common but should be treated as an explicit user action and audited before running.
Credentials
The skill declares no required env vars, but fork mode realistically needs a chain RPC endpoint (Alchemy/Infura/custom RPC) to fork from; SKILL.md mentions network access/timeouts but does not declare or ask for an RPC API key. That omission may be an implementation detail of the MCP tool, but you should confirm where the RPC URL comes from. Also, the skill outputs private keys for funded accounts — normal for local Anvil forks but sensitive if reused or transmitted elsewhere.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and does not instruct modifying other skills or system-wide settings. It will manage a local Anvil process/port and clean it up per its description — expected for this functionality.
Assessment
This skill appears to do what it claims (start a local Anvil fork, seed Uniswap pools, and return accounts/contracts), but check these before installing or running: 1) Confirm where the fork RPC comes from — the MCP tool or you will need to supply an RPC URL / API key (Alchemy/Infura/etc.). Don't assume anonymous public RPCs will be used. 2) The SKILL.md suggests running Foundry's installer (curl ... | bash) if Anvil is missing — audit that installer and run it yourself if you trust the source. 3) The skill will print private keys for test accounts (normal for local forks). Treat those keys as sensitive for any environment where networked components might read them; never reuse them on mainnet. 4) Verify the MCP tool implementations (mcp__uniswap__setup_local_testnet, fund_test_account, get_supported_chains) come from a trusted source or inspect their code before allowing autonomous execution. 5) If you are uncertain, run this skill in an isolated VM/container and ensure it uses a known RPC endpoint. These checks would change the confidence to high if satisfied.

Like a lobster shell, security has layers — review code before you run it.

latestvk978p8afnrc5808p8kmajr7egd80w64j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments