4Claw Mint
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This token-minting skill is purpose-aligned, but it asks agents to use a raw BSC wallet private key and lets a remote signer response choose the contract transaction target.
Review this carefully before installing. If you use it, create a fresh low-balance BSC wallet only for this mint, verify the contract address before every transaction, use a trusted HTTPS signer URL, and do not pass a main wallet private key to the script.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong wallet key is used or exposed through shell history, process listings, logs, or agent context, funds and tokens in that wallet could be at risk.
A BSC private key grants control over the wallet and gas spending. Requiring it as a script argument is high-impact credential use for a skill whose metadata declares no primary credential.
Run the mint script with the agent's wallet private key: node scripts/mint.js <PRIVATE_KEY> <SERVER_URL> - `PRIVATE_KEY`: Agent's BSC wallet private key (needs small BNB for gas)
Use only a dedicated wallet with minimal BNB for gas, never a main wallet, and prefer a safer wallet-signing integration or explicit per-transaction approval instead of passing raw private keys.
A compromised, mistaken, or impersonated signer service could cause the agent wallet to sign a transaction to an unexpected contract, wasting gas or invoking unintended contract behavior.
The script trusts the remote signer service to provide the contract address and then sends a wallet-signed transaction to that returned address, rather than enforcing the documented 4Claw contract address.
const { nonce, deadline, signature, contract } = sigRes.data;
...
const fourClaw = new ethers.Contract(contract, CONTRACT_ABI, wallet);
...
const tx = await fourClaw.mint(nonce, deadline, signature);Hard-code or verify the expected contract address and chain ID before sending any transaction, display the transaction target to the user, and require confirmation for on-chain writes.
Observers on the network path may see the wallet address being used, and users must trust the default server to return correct minting data.
The default signer endpoint is a plaintext HTTP IP address, and the script sends the wallet address to it. This is part of the minting design, but the endpoint identity and transport protection are weak.
const SERVER_URL = process.argv[3] || "http://43.160.201.224:3456"; ... wallet_address: wallet.address
Use a trusted HTTPS signer URL, verify the server operator, and avoid linking sensitive wallets to the minting endpoint.
Users may not know which runtime or dependency versions are expected, which is especially important for software that handles private keys and blockchain transactions.
The artifact set includes runnable Node scripts, but the registry provides no install specification, required binary declaration, or dependency lock context for the ethers dependency used by the scripts.
No install spec — this is an instruction-only skill. Code file presence 2 code file(s): scripts/mint.js scripts/server.js
Add explicit Node.js and dependency requirements, pin package versions with a lockfile, and document the expected runtime setup.