Is masoncags-tech/abstract-onboard safe?

bridge-usdc-relay.js unconditionally bridges the caller's entire USDC balance (minus a 0.1 USDC dust buffer). There is no amount argument. An agent responding to any instruction involving bridging USDC will transfer all available funds. This is a critical financial-safety failure regardless of whether the skill author's intent is malicious.

aborean-swap.js hardcodes a router address the author says was found by tracing on-chain activity, not from official Aborean documentation. references/dex.md explicitly states the Aborean router is 'not publicly documented'. Approving ERC-20 tokens to an unverified contract is the canonical token-drain attack. If this address is malicious or compromised, any token approval would give the router unlimited withdrawal capability.

The skill gives an agent the ability to transfer ETH/ERC-20 tokens, execute DEX swaps, bridge assets across chains, and place prediction market bets — all requiring only WALLET_PRIVATE_KEY in the environment. There are no confirmation prompts, dry-run modes, or safety guards built into any script. A single social-engineering prompt to an agent running this skill against a live wallet is sufficient to drain it.

mint-nft.js defines NFT_BYTECODE as a large opaque hex string representing compiled zkSync contract bytecode. The variable is never used in any reachable code path — the branch that would deploy it exits immediately via process.exit(1). Dead code containing contract bytecode is a known technique for embedding malicious logic that evades static review, though no execution path was found to trigger it.

Scripts make outbound HTTPS calls to api.relay.link (bridge quotes and execution including wallet address and amount), api-v2.myriadprotocol.com (market data including wallet context), and multiple DEX router contracts. All endpoints are disclosed in SKILL.md but represent a wide surface for network-level interception or API-side logging of financial activity.

package.json specifies @abstract-foundation/agw-client@^0.1.0 (allows any 0.x version) while SKILL.md explicitly warns that different versions compute different AGW wallet addresses and that the user must pin to 1.10.0. An agent that runs npm install then create-agw.js may compute an AGW address different from the one expected, causing funds sent to the 'wrong' deterministic address to be unrecoverable.

swap-kona.js issues an ethers.MaxUint256 USDC approval to the Kona router. While this is a common DeFi UX pattern to avoid repeat approval transactions, it means any future compromise of the router contract address grants unlimited USDC withdrawal from the user's wallet without further interaction.

aborean-swap.js reads process.env.PRIVATE_KEY while all 18 other scripts read process.env.WALLET_PRIVATE_KEY. An agent that sets WALLET_PRIVATE_KEY (as instructed by SKILL.md) will find aborean-swap.js silently fails to load a key, potentially causing it to use a different credential if PRIVATE_KEY happens to be set in the environment for an unrelated purpose.

SKILL.md includes URLs for api.mainnet.abs.xyz, relay.link, abscan.org, and api-v2.myriadprotocol.com that will be injected into the agent's context. All are established blockchain infrastructure consistent with the skill's stated purpose. No attacker-controlled URLs detected.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at two timestamps: 1771922224.305 (before the git clone at 1771922229.810) and 1771922242.728 (post-install). The timing and symmetric pre/post pattern are consistent with the oathe audit framework's canary baseline and integrity verification steps, not the skill under test. All files confirmed intact.