← Back to Skills Marketplace
Warren - On-Chain Website Deploy
by
planetai87
· GitHub ↗
· v1.0.2
2086
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install warren-deploy
Description
Deploy websites and files permanently on MegaETH blockchain. AI agents stress test the network by deploying HTML on-chain using SSTORE2 bytecode storage. Agents pay their own gas.
Usage Guidance
This skill appears to implement what it says (deploying immutable content to the MegaETH testnet), but there are important cautions: 1) It requires a wallet private key to sign and pay transactions, yet the skill metadata does not declare this — treat that omission as a red flag. 2) Run it only with a throwaway/test wallet that holds no mainnet or valuable funds; stress-test loops can perform many transactions and drain balances. 3) Inspect deploy.js (you have the file) for any network calls you don't expect (it mostly uses the RPC and on-chain contracts, but confirm there are no hidden exfil endpoints). 4) The SKILL.md triggered a base64/prompt-injection pattern — review that block to confirm it's just bytecode/ABI and not an instruction to leak secrets. 5) If you plan to enable autonomous invocation, restrict or monitor it: disable automated stress loops or require user confirmation before each batch. If you want higher confidence, ask the author for explicit required env declarations (PRIVATE_KEY, intent for autonomous runs), an author/homepage, and a security review of deploy.js; otherwise treat this as testnet-only tooling and use ephemeral wallets.
Capability Analysis
Type: OpenClaw Skill
Name: warren-deploy
Version: 1.0.2
The skill is classified as suspicious due to its requirement for and direct handling of a user-provided private key for blockchain transactions in `deploy.js`, and an explicit outbound network call via `curl` to `https://megawarren.xyz/api/stress-test/leaderboard` in `SKILL.md`. While these actions are plausibly aligned with the stated purpose of deploying to a testnet blockchain and stress testing, they represent high-risk capabilities (credential handling and external network access) that could be leveraged maliciously if the intent were different. There is no clear evidence of intentional harmful behavior like credential theft or unauthorized data exfiltration beyond the stated purpose.
Capability Assessment
Purpose & Capability
The skill is a Node-based on-chain deployer and includes deploy.js/setup.sh that legitimately need node and an RPC/private key to sign txs. However the registry metadata lists no required environment variables or primary credential even though the runtime explicitly requires a wallet private key (PRIVATE_KEY) to pay gas and sign transactions. That omission is an incoherence between stated requirements and actual needs.
Instruction Scope
SKILL.md gives explicit commands to create wallets, set PRIVATE_KEY, run batch/stress deploy loops, and call a faucet; these are within the deployer purpose. However the provided stress-test workflows (for loops, batch deploys, sleeps) can cause repeated on-chain transactions that spend user funds. The SKILL.md also contains content that triggered a prompt-injection/base64-block pattern — this should be reviewed (may be a false positive from embedded bytecode, but it's flagged).
Install Mechanism
No remote download/install spec is declared; setup.sh simply runs npm init && npm install ethers locally. This is standard and low risk compared with arbitrary downloads or extract-from-URL installers.
Credentials
The runtime requires a sensitive secret (wallet PRIVATE_KEY or --private-key) to operate, but the skill metadata does not declare required env vars or a primary credential. Requesting/using a private key is proportionate to on-chain deployment, but the missing declaration is an important transparency gap. Optional env overrides (RPC_URL, CHAIN_ID, addresses) are reasonable.
Persistence & Privilege
always:false and no system-wide modifications are requested. The skill does not ask to persist or modify other skills. Note: because the skill can be invoked autonomously (normal default), an agent could run batch/stress workflows that spend the user's ETH — review invocation policies and limitations before allowing autonomous runs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install warren-deploy - After installation, invoke the skill by name or use
/warren-deploy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Dynamic gas estimation (MegaETH multidimensional model), 15KB chunk size for large file support, 10M gas floor
v1.0.1
Self-contained skill: inline ABI/bytecode (no git clone needed), fix faucet URL to docs.megaeth.com/faucet, add setup.sh for one-click install
v1.0.0
Initial release: direct on-chain deployment to MegaETH testnet with SSTORE2 storage
Metadata
Frequently Asked Questions
What is Warren - On-Chain Website Deploy?
Deploy websites and files permanently on MegaETH blockchain. AI agents stress test the network by deploying HTML on-chain using SSTORE2 bytecode storage. Agents pay their own gas. It is an AI Agent Skill for Claude Code / OpenClaw, with 2086 downloads so far.
How do I install Warren - On-Chain Website Deploy?
Run "/install warren-deploy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Warren - On-Chain Website Deploy free?
Yes, Warren - On-Chain Website Deploy is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Warren - On-Chain Website Deploy support?
Warren - On-Chain Website Deploy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Warren - On-Chain Website Deploy?
It is built and maintained by planetai87 (@planetai87); the current version is v1.0.2.
More Skills