ZeroDust Chain Exit
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zerodust-chain-exit Version: 1.0.0 The skill is designed to sweep native gas tokens from EIP-7702 compatible chains, interacting with a clearly defined external API endpoint (zerodust-backend-production.up.railway.app). All network calls are to this single, consistent endpoint. Crucially, the process explicitly requires the user to sign multiple messages for delegation, revocation, and sweep intent, ensuring user authorization for all transactions and preventing unauthorized fund movement by the agent. The `SKILL.md` instructions guide the agent on how to use the API and interact with the user, without any evidence of prompt injection attempts to subvert the agent's purpose, exfiltrate unrelated data, or execute arbitrary commands. The `ZERODUST_API_KEY` is a required environment variable for the skill's own operation, not for exfiltrating other sensitive credentials.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user signs the wrong authorization, verifies the wrong destination, or trusts a compromised service, their native token balance could be moved irreversibly.
The skill asks the user to grant delegated wallet authority and authorize a sweep that is designed to empty the wallet's native-token balance. This is core to the purpose, but it is high-impact financial authority and the provided artifacts do not show contract-address or audit verification guidance.
The user must sign: 1. **EIP-7702 delegation authorization** - Delegates their EOA to ZeroDust contract ... 3. **EIP-712 sweep intent** - Authorizes the specific sweep parameters
Only sign after independently verifying the destination, chain, amount, fees, contract address, and revocation details in the wallet. Prefer a hardware wallet or test wallet and do not sign unreadable or unexpected EIP-7702 data.
Users cannot verify from these artifacts that the backend or contract will produce only the intended sweep and revocation transactions.
The package provides instructions but no inspectable implementation, while the skill relies on a remote ZeroDust backend to create quotes and signing payloads. For a crypto sweep workflow, unknown source/provenance is a material review concern.
Source: unknown Homepage: none No code files present — this is an instruction-only skill.
Before use, verify the provider, API documentation, contract addresses, source code, and any audits outside the skill package. Avoid using it with significant funds unless the service provenance is trusted.
A mistaken batch request could prepare or submit sweeps for more chains than intended.
Batch sweeping is disclosed and purpose-aligned, but it can affect multiple chain balances at once if the agent or user supplies the wrong chain or destination parameters.
## Batch Sweeps (Multiple Chains) Sweep from multiple chains in one request:
Require a per-chain quote and explicit user confirmation of source chain, destination address, expected receive amount, and fees before any signing or submission.