Is 0xguardbot/megaeth safe?
https://github.com/openclaw/skills/tree/main/skills/0xguardbot/megaeth
This skill is a comprehensive, well-structured MegaETH blockchain development reference consisting entirely of markdown documentation files. No executable code, install scripts, git hooks, or malicious patterns were detected. Network and filesystem monitoring during installation showed only expected git clone activity. The only notable finding is a minor token address inconsistency between two files (likely a typo) and the inherent sensitivity of the wallet/transaction management domain.
Category Scores
Findings (4)
LOW Inconsistent MEGA token address across files -5 ▶
The MEGA token contract address differs between wallet-operations.md and resources.md by one character (0x...F1E3eA0E... vs 0x...F1E2eA0E...). This appears to be a typo but could cause incorrect token interactions if a user relies on the wrong address.
INFO Opinionated default stack decisions -5 ▶
SKILL.md includes opinionated engineering guidance (e.g., 'eth_sendRawTransactionSync first', 'skip estimation when possible', 'Multicall preferred'). These shape agent behavior toward specific patterns but are clearly labeled as opinions and standard for developer reference material.
INFO Wallet/private key handling domain -5 ▶
The skill's core purpose involves wallet setup, transaction signing, and private key management. While the skill includes proper security warnings ('Never expose private keys'), an active agent following these instructions will inherently handle sensitive cryptographic material.
INFO Hardcoded contract addresses and RPC endpoints -5 ▶
The skill provides hardcoded contract addresses (L1StandardBridgeProxy, WETH9, Multicall3, MEGA token) and RPC endpoints. These appear legitimate but represent a trust dependency — if any address were incorrect or malicious, users following the skill could lose funds.