Scan Report
0 /100
superrare-mint
Mint art to a SuperRare-compatible ERC-721 collection on Ethereum or Base via Bankr
Legitimate SuperRare NFT minting skill with fully declared capabilities, standard blockchain tooling, and no hidden behavior.
Safe to install
Skill is safe to use. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md:15 lists jq; scripts read config.json, deploy receipts, write receipts |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:15 lists cast, jq, curl, node; scripts invoke these as subprocesses |
| Network | READ | READ | ✓ Aligned | SKILL.md:27 declares Bankr API; scripts POST to api.bankr.bot and api.superrare.… |
| Environment | READ | READ | ✓ Aligned | SKILL.md:16 declares BANKR_API_KEY; resolve_bankr_api_key() reads env vars local… |
| Skill Invoke | NONE | NONE | — | No cross-skill invocations |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser usage |
| Database | NONE | NONE | — | No database access |
11 findings
Medium Wallet Address 加密货币钱包地址
0x0000000000000000000000000000000000000000 config.example.json:4 Medium External URL 外部 URL
https://api.superrare.org config.example.json:9 Medium External URL 外部 URL
https://ethereum-rpc.publicnode.com scripts/lib.sh:68 Medium External URL 外部 URL
https://etherscan.io/tx/ scripts/lib.sh:69 Medium External URL 外部 URL
https://ethereum-sepolia-rpc.publicnode.com scripts/lib.sh:74 Medium External URL 外部 URL
https://sepolia.etherscan.io/tx/ scripts/lib.sh:75 Medium External URL 外部 URL
https://base-rpc.publicnode.com scripts/lib.sh:80 Medium External URL 外部 URL
https://basescan.org/tx/ scripts/lib.sh:81 Medium External URL 外部 URL
https://base-sepolia-rpc.publicnode.com scripts/lib.sh:86 Medium External URL 外部 URL
https://sepolia.basescan.org/tx/ scripts/lib.sh:87 Medium External URL 外部 URL
https://api.bankr.bot scripts/lib.sh:146 File Tree
7 files · 30.8 KB · 1051 lines Shell 3f · 678L
JavaScript 1f · 214L
Markdown 1f · 142L
JSON 2f · 17L
├─
▾
scripts
│ ├─
lib.sh
Shell
│ ├─
mint-art.sh
Shell
│ ├─
mint-via-bankr.sh
Shell
│ └─
pin-metadata.mjs
JavaScript
├─
clawhub.json
JSON
├─
config.example.json
JSON
└─
SKILL.md
Markdown
Security Positives
✓ Dry-run is the default; transactions only broadcast with --broadcast or DRY_RUN=0
✓ Contract mode is enforced before any action—script refuses to run without explicit ownership-given or own-deployed
✓ Chain mismatch validation prevents cross-chain receipt reuse
✓ Credential lookup is local-only; BANKR_API_KEY is used for API auth, never exfiltrated
✓ All external API calls go to well-known, documented endpoints (api.superrare.org, api.bankr.bot)
✓ No base64, eval, curl|bash, or other obfuscation/remote execution patterns
✓ No sensitive path access (~/.ssh, ~/.aws, .env secrets extraction)
✓ Receipts written locally with no outbound transmission of transaction data
✓ Standard, auditable shell tooling (cast, jq, curl, node) used throughout
✓ SKILL.md thoroughly documents all scripts, environment variables, and file paths