Warren - On-Chain NFT Deploy

Deploy NFT collections permanently on MegaETH blockchain. Images stored on-chain via SSTORE2. Create and launch NFT collections with royalties, minting, and management pages.

Do not run this with any real/mainnet private key until you verify what the code does. Specific steps to consider before installing or running: - Source verification: The skill's source and homepage are unknown. Try to find an upstream repository or contact the publisher to verify authenticity. - Inspect deploy-nft.js fully: search for any network requests (fetch, axios, https.request), uses of process.env.*, and any code that would transmit secrets. Confirm that the script never logs or posts the PRIVATE_KEY anywhere. - Check what is sent to REGISTER_API (https://megawarren.xyz/api/container-nfts) — run the script in a sandbox and/or instrument it to print only the payload you expect to be sent (without the private key) before allowing the real run. - Use a throwaway/testnet private key: Only run on the MegaETH testnet with a throwaway key that holds minimal funds, not a wallet with valuable assets. - Prefer offline/hardware signing: If possible, modify the workflow to build unsigned transactions and sign them offline or with a hardware wallet rather than exporting a raw private key to the environment. - Run in an isolated environment: use a disposable VM or container, and inspect network traffic (e.g., with tcpdump/mitm) to verify no unexpected exfiltration occurs. - Review the prompt-injection block: the SKILL.md contains a detected 'base64-block' pattern—review the markdown raw contents and remove/ignore any embedded encoded payloads before trusting the doc. If you are not comfortable reviewing the JS yourself, ask a developer or security-savvy person to audit deploy-nft.js and confirm that no secrets are transmitted and that the registration API only receives expected metadata. If any part of the code or network activity is unclear, treat the skill as untrusted.

Type: OpenClaw Skill Name: warren-nft Version: 1.0.0 The skill bundle is designed to deploy NFT collections on the MegaETH blockchain. It uses `setup.sh` to install `ethers.js` and `deploy-nft.js` to handle image processing, contract deployment, and blockchain interactions. The script requires a `PRIVATE_KEY` for signing transactions, which is necessary for its functionality and is not exfiltrated. It performs a network call to `https://megawarren.xyz/api/container-nfts` to register the deployed NFT collection's public metadata (e.g., contract address, name, symbol, owner's public address). This data exfiltration is explicitly mentioned as 'Registering to DB' in the code and documentation, and the domain is consistent with the skill's stated purpose and homepage, indicating it's a functional aspect of the platform rather than malicious data theft. All observed behaviors, including file system access for images and blockchain interactions, are clearly aligned with the stated purpose and lack evidence of intentional harmful actions, obfuscation, or prompt injection attempts against the agent.