ClawHub

ZeroDust Chain Exit

v1.0.0

Sweep 100% of native gas tokens from EIP-7702 compatible chains. Leaves exactly zero balance. Supports 25 mainnet chains.

1· 1.4k·0 current·0 all-time
by@zerodustxyz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described capability (obtain quote, provide EIP-712/EIP-7702 typed data, have the user sign and submit a sweep) is consistent with a centralized service that coordinates sponsored EIP-7702 sweeps. Requiring a ZERODUST_API_KEY to call agent endpoints is proportionate. However, there is no source homepage or project repository provided, and many listed 'supported chains' and chain IDs look unusual or fictional (e.g., Zora id 7777777, several names like 'Fraxtal', 'World Chain', 'Plasma', 'Story', 'Superseed', 'Soneium', 'X Layer') which undermines trust in the claimed breadth of support.
!
Instruction Scope
SKILL.md instructs the agent to call a single third-party API to get quotes, authorization typed data, and to submit sweeps — that is within scope. Concerns: (1) the flow requires the user to sign three messages including a delegation and a pre-signed revoke; pre-signed revokes can be risky if the backend stores and replays them, or if their validity window is unclear; (2) the agent may prompt users to paste signatures or data — instructions do not explicitly warn against pasting private keys, and there is no guidance on secure wallet signing flows; (3) the convenience 'agent' endpoints (agent/sweep, agent/batch-sweep) allow an API key to request sweeps for arbitrary addresses, which means possession of an API key confers broad sweep capability that must be trusted.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk and there is no package install step — lowest install risk.
Credentials
Only a single env var (ZERODUST_API_KEY) is required which is proportionate for a hosted API service. However, because the API key is used to call endpoints that create authorizations and can submit sweeps (including batch sweeps), possession of this key grants the caller the ability to initiate money-moving operations — users should only set it if they trust the backend operator. The skill does not request unrelated credentials, which is good.
Persistence & Privilege
always:false and no install lifecycle steps are present. The skill does not request elevated persistent privileges or modify other skills/configs. The agent may invoke the API autonomously (default), which is expected for skills; this should be considered when deciding whether to grant the API key to the agent.
What to consider before installing
Do not use this skill with real funds until you can verify the backend and codebase. Specific steps to take before installing or using: - Verify the project: ask the publisher for a canonical homepage or public source repo (GitHub) and review the server code and docs. The skill currently lists no homepage/source and points to a railway.app backend—this is not a proof of legitimacy. - Validate supported chains: confirm the chain IDs and names the service claims to support; several names/IDs in the SKILL.md look uncommon or fictional. Try a tiny test amount first. - Protect keys and signing: never paste private keys into the agent. Ensure signing is done via a secure wallet UI (e.g., MetaMask, hardware wallet) that only signs the intended typed data. Prefer in-wallet signing over copy-pasting signatures where possible. - Question pre-signed revocation: ask the operator to explain why a pre-signed revoke is required, how long signatures are valid, and whether the revoke signature can be replayed or misused later. Prefer a flow where revocation is executed deterministically and immediately, or better yet where the revoke is controlled by the user. - Limit API key exposure: treat ZERODUST_API_KEY as highly sensitive — possession appears to allow batch/agent sweeps. Only provide it to agents you fully trust and consider using a scoped/test key first. - Ask for independent audits or references and for an official domain and contact/support channels. If these are not provided, avoid using the skill for any significant balances.

Like a lobster shell, security has layers — review code before you run it.

latestvk974m9d044v5yeahx3xwb9d6a180hmge

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧹 Clawdis
EnvZERODUST_API_KEY

Comments