📦 ABI-to-MCP: The Web3 Skill Architect — 技能工具

v1.0.0

Interact with Erc20 smart contract via read/write functions

0· 27·0 当前·0 累计

by @justinxai (JustinX)·MIT-0

网络工具浏览器自动化

下载技能包

License

MIT-0

最后更新

2026/4/15

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

The skill's purpose (interacting with ERC‑20 contracts) matches its instructions, but the runtime instructions require sensitive environment variables (PRIVATE_KEY, RPC_URL, CONTRACT_ADDRESS) that are not declared in the registry metadata — this mismatch and the need to handle private keys is a security concern.

评估建议

This skill will ask the agent to use an RPC URL and a private key to send transactions. Before installing: 1) Treat PRIVATE_KEY as extremely sensitive — do not paste your main account private key into environment variables for third‑party skills. Prefer external signers (hardware wallets, MetaMask WalletConnect) or a dedicated burner account with minimal funds and privileges. 2) Ask the publisher to update metadata to declare required env vars and a primary credential so you can see the need up ...

详细分析 ▾

⚠ 用途与能力

The skill claims to interact with ERC‑20 contracts and the SKILL.md describes read/write functions (including transfer, approve, mint, burn). Those capabilities legitimately require an RPC endpoint, contract address, and a signing key. However, the registry metadata declares no required environment variables or primary credential, creating an inconsistency between what the skill says it needs at runtime and what the package requests in metadata.

⚠ 指令范围

SKILL.md explicitly instructs the runtime to use RPC_URL, PRIVATE_KEY, and CONTRACT_ADDRESS and to execute write transactions that consume gas. The instructions remain within the stated purpose (blockchain reads/writes) but they direct the agent to handle a private key and perform state-changing operations — actions that can transfer funds or change token supply. The file does not specify safe signing practices (e.g., using an external signer) or limit the agent's discretion, which increases risk.

✓ 安装机制

This is an instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer — low install risk. However, runtime behavior depends on the agent following the SKILL.md instructions.

⚠ 凭证需求

SKILL.md requires three sensitive values (RPC_URL, PRIVATE_KEY, CONTRACT_ADDRESS) but the skill metadata lists none and sets no primary credential. Requiring a PRIVATE_KEY is proportionate to performing write transactions, but not declaring it in metadata is an incoherence and a red flag. The PRIVATE_KEY is highly sensitive: exposing it allows full control of on‑chain assets for that account.

✓ 持久化与权限

The skill does not request always:true and does not claim to modify other skills or system configuration. Default autonomous invocation is allowed (platform default) and should be considered in combination with the other concerns, but it is not by itself a misconfiguration here.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/15

Initial release of erc20-skill. - Enables interaction with ERC20 smart contracts for both read and write operations. - Supports essential read functions: name, symbol, decimals, totalSupply, balanceOf, allowance. - Implements core write functions: transfer, approve, transferFrom, mint, burn. - Provides workflow and environment setup instructions. - Lists key constraints for proper operation. - Includes event descriptions for Transfer and Approval.

● 无害

安装命令

点击复制

官方npx clawhub@latest install abi-to-mcp-generator

镜像加速npx clawhub@latest install abi-to-mcp-generator --registry https://cn.longxiaskill.com

技能文档

Workflow

Setup: Configure environment variables RPC_URL, PRIVATE_KEY, CONTRACT_ADDRESS
Read: Use read functions (view/pure) to query contract state
Write: Use write functions to modify contract state (requires gas)

Constraints

Constraint	Requirement
RPC Provider	Any Ethereum JSON-RPC endpoint
Private Key	Must have contract permissions
Gas Limit	Adjust based on function complexity
Network	Must match contract deployment

Read Functions

name

name()

Returns: string

Example:

const result = await name({  });

symbol

symbol()

Returns: string

Example:

const result = await symbol({  });

decimals

decimals()

Returns: uint8

Example:

const result = await decimals({  });

totalSupply

totalSupply()

Returns: uint256

Example:

const result = await totalSupply({  });

balanceOf

balanceOf(address account)

Returns: uint256

Parameters:

| account | address |

Example:

const result = await balanceOf({ account: "0x... });

allowance

allowance(address owner, address spender)

Returns: uint256

Parameters:

Example:

const result = await allowance({ owner: "0x..., spender: "0x... });

Example:

const tx = await burn({ amount: value });

Events

Transfer

Signature: Transfer([indexed] address from, [indexed] address to, uint256 value)

Approval

Signature: Approval([indexed] address owner, [indexed] address spender, uint256 value)

Built with ❤️ by JustinXai ABI-to-MCP. Get the generator: https://github.com/JustinXai/abi-to-mcp

数据来源：ClawHub ↗ · 中文优化：龙虾技能库