Safety Report

Abstract Onboard

Name: Abstract Onboard
Rating: 3 (4 reviews)
Author: Masoncags-tech

Deploy smart contracts and bridge assets to Abstract (ZK Stack L2). Use when an agent needs to deploy contracts on Abstract, bridge ETH/tokens to Abstract, trade/swap tokens, place predictions on Myriad Markets, check balances, transfer assets, or interact with Abstract mainnet. Covers zksolc compilation, Hardhat deployment, Relay bridging, DEX trading (Kona, Aborean), Myriad prediction markets, and key contract addresses.

1,730Downloads

2Installs

4Stars

7Versions

API Integration4,971 DevOps & Infrastructure1,045 Maps & Geolocation980 Legal & Compliance738

Security Analysis

high confidence

Suspicious0.08 risk

The skill's code and runtime instructions do what its description says (deploy, bridge, swap, transfer), but the package/registry metadata omits required secrets (private keys) and a few scripts perform high-risk actions (e.g., bridging full balances) without safeguards — the packaging and declared requirements are inconsistent and potentially dangerous if used with real keys.

Feb 11, 202630 files4 concerns

Purpose & Capabilitynote

The name/description (deploy, bridge, trade, manage AGW on Abstract) match the included scripts and reference docs. The code implements the advertised capabilities (deploy-abstract, relay-bridge, swaps, Myriad interactions, AGW creation).

Instruction Scopeconcern

SKILL.md and scripts instruct the agent/user to provide private keys (WALLET_PRIVATE_KEY or PRIVATE_KEY) and to run actions that transfer value (bridge, swap, transfer, approve). Some scripts (bridge-usdc-relay.js) automatically compute the full token balance and execute all steps returned by an external quote API, effectively bridging nearly the entire balance without an explicit per-step confirmation. Scripts expect and will use secrets and can perform irreversible on-chain operations — this is in-scope for the stated purpose but requires clear user consent and safeguards; the skill's instructions do not enforce or document enough safety checks.

Install Mechanismnote

There is no install spec in registry metadata (instruction-only), but a package.json with dependencies (ethers, zksync-ethers, viem, @abstract-foundation/agw-client) is included. Installing these via npm is expected for functionality; there are no obscure external download URLs in the manifest. However the install step is not declared in the registry metadata, which is an omission the user should be aware of.

Credentialsconcern

Registry metadata states 'Required env vars: none', but many scripts and SKILL.md explicitly require WALLET_PRIVATE_KEY or PRIVATE_KEY, and some accept ABSTRACT_RPC/ABSTRACT_RPC/DEX_ROUTER and other env vars. Requiring a private key is proportionate to the claimed functionality, but the metadata omission is a significant mismatch and the skill asks for highly sensitive secrets without declaring them. Multiple env var names are used inconsistently across scripts (WALLET_PRIVATE_KEY vs PRIVATE_KEY), increasing risk of accidental use of the wrong secret.

Persistence & Privilegeok

The skill does not request always:true, does not attempt to alter other skills or system-wide settings, and is not marked to run persistently. It operates as invoked — autonomy is allowed by default but not elevated here.

Guidance

This skill appears to implement the advertised Abstract (ZK Stack L2) operations, but the registry metadata is misleading: it claims no required environment variables while the scripts repeatedly expect your wallet private key (WALLET_PRIVATE_KEY or PRIVATE_KEY) and will sign and send real transactions (bridge, swap, transfer, deploy). Before installing or running it: - Do not provide your mainnet private key to this skill without strong review and safeguards. Treat the key as highly sensitive. - Audit the scripts you plan to run. The bridge script will attempt to bridge nearly the entire token balance automatically — run it only after inspecting the code and testing on testnet with a throwaway key. - Prefer using a testnet or a throwaway wallet first to validate behavior, or use a hardware wallet / multisig where feasible (these scripts expect raw private keys and will not work with hardware wallets as-is). - Pin and inspect dependencies locally (package.json). Run npm install in an isolated environment and review node_modules or use reproducible lockfile to avoid supply-chain risks. - Note inconsistent env var names across scripts (WALLET_PRIVATE_KEY vs PRIVATE_KEY). Use caution to avoid accidentally exposing the wrong key. - If you decide to use it, run each action manually (read the script, run in dry-run or with small amounts) and avoid any script that automatically moves your entire balance without confirmation. Given the metadata omissions and potentially destructive defaults, treat this skill as suspicious until you (or a trusted auditor) verify the code and run it in a safe environment.

Latest Release

v1.6.0

- added 3, updated 1 file(s). - Updated SKILL.md and bundle contents.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @Masoncags-tech on ClawHub