Is davidtaikocha/etherscan-api safe?

https://github.com/openclaw/skills/tree/main/skills/davidtaikocha/etherscan-api

91
SAFE

The etherscan-api skill is a documentation-only package containing markdown reference files and a yaml agent descriptor. It contains no executable code, no npm scripts, no git hooks, no submodules, and no prompt injection patterns. The install touched only GitHub over HTTPS and left no persistent connections or modified files outside its own directory. The sole actionable concern is that an active agent following this skill will need to source an Etherscan API key, which may lead it to inspect environment variables or credential files — behavior that is standard for any API-integration skill but should be understood by the deploying user.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 89/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Agent may source ETHERSCAN_API_KEY from credential stores -8

The skill's Required Inputs section lists ETHERSCAN_API_KEY as a prerequisite and the bash examples reference it via $ETHERSCAN_API_KEY. An agent with shell or file-system access may look for this value in ~/.env, environment variables, or other credential files. This is standard behavior for any API integration skill, but users should ensure the agent's key-retrieval behavior is intentional.

LOW Skill provides ready-to-run curl commands that an agent may execute verbatim -10

The Quick Commands section contains fully-formed curl invocations. An agent with shell-execution capability may run these directly. The placeholders use angle-bracket notation (,

) which most LLMs will correctly identify as requiring substitution, but a poorly-bounded agent could attempt direct execution.

INFO Monorepo sparse-checkout install pattern 0

The skill is distributed as a subdirectory of a monorepo (openclaw/skills). The installer clones the entire repo with --depth 1 then performs a sparse-checkout. This is a slightly larger footprint than a per-skill repo but the /tmp/monorepo-clone directory was cleaned up immediately after copy. No residual data remained.

INFO Skill directs agent to read co-located reference files 0

SKILL.md includes a 'Read first' section instructing the agent to read four local markdown files (network-map.md, endpoint-cheatsheet.md, rate-limits.md, explorer-url-patterns.md). These files exist within the skill directory, contain no malicious content, and the instruction does not traverse outside the skill directory.

INFO Canary file opens attributable to audit framework, not skill 0

Auditd recorded opens of .env, .ssh/id_rsa, .aws/credentials and other sensitive paths. Timestamps for these accesses (1771920878 and 1771920901) correspond to the OATHE infrastructure's own pre-install baseline scan and post-install integrity check, occurring before git clone started and after all skill files were installed respectively. The skill contains no code capable of file I/O.