Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub · Other
BYOCB ArbInjectionSkill
BYOCB ArbInjectionSkill: Scan EVM smart contracts for arbitrary call injection vulnerabilities. Monitor chains in real-time or scan specific addresses.
skill openclawclawhub Free
BYOCB ArbInjectionSkill: Scan EVM smart contracts for arbitrary call injection vulnerabilities. Monitor chains in real-time or scan specific addresses.
⬇ 0 downloads ★ 0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.0
Provenance
- Publisher
- CryptoToolDev
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
BYOCB ArbInjectionSkill
⚠️ Educational Tool — This skill is designed for Solidity/blockchain security researchers and auditors. Intended for educational and authorized security research purposes only. Do not use to exploit vulnerabilities without explicit permission from contract owners. Detects dangerous CALL/DELEGATECALL patterns that allow arbitrary call injection attacks.
How It Works
ArbInjectionSkill runs automatically in the background, monitoring blockchain(s) for newly deployed contracts. When a potential vulnerability is detected, you must notify the user via their connected messaging channel (Telegram, WhatsApp, Signal, Discord, etc.).
Install
git clone https://github.com/BringYourOwnBot/arb-injection.git cd arb-injection npm install
Running the Monitor
Start as a background session for continuous monitoring: node index.js <chain> [--no-llm] Chains: eth, bsc, base, arb, op, polygon, hyper The monitor will: Subscribe to new blocks Detect contract deployments Scan bytecode for vulnerabilities Save findings to ./results/
Alerting Users
Critical requirement: When a CRITICAL or HIGH vulnerability is flagged, notify the user immediately. Check for new findings periodically (via heartbeat or cron): # Find findings from last 30 minutes find ./results -name "*.md" -mmin -30 When new findings exist with verdict CRITICAL or HIGH: Read the .md report Verify it's not a known false positive (see below) Send alert via message tool to user's preferred channel Example alert: 🚨 ArbInjection Alert: Potential vulnerability detected Chain: BSC Contract: 0x1234...abcd Verdict: CRITICAL Risk: Unprotected arbitrary CALL with user-controlled target [Link to explorer]
Manual Scan
Scan a specific contract on-demand: node modules/scan-arbitrary-call.js <address> --rpc <chain>
Interpreting Results
VerdictActionCRITICALAlert user immediatelyHIGHAlert user immediatelyMEDIUMReview, alert if confirmedLOW/SAFENo alert needed Results saved to ./results/ as .json and .md files.
False Positives
Do NOT alert for these patterns (safe by design): Immutable DELEGATECALL targets (hardcoded address in bytecode) EIP-1167 minimal proxies (clone pattern) UUPS/Transparent proxies with access control DEX callbacks (uniswapV3SwapCallback, etc.) Known safe contracts: Multicall3, 1inch, Uniswap, Permit2 Verify before alerting: Check if the flagged CALL target is: Hardcoded (immutable) → FALSE POSITIVE From calldata/user input → REAL VULNERABILITY
Environment
Optional .env file: ANTHROPIC_API_KEY=sk-ant-... # For LLM deep analysis BYBOB_OUTPUT=/custom/path # Override results directory
Maintenance
Daily update required. Detection patterns and fixes are pushed frequently. cd /path/to/arb-injection git pull origin main npm install # If package.json changed Schedule daily update check (09:00): { "schedule": { "kind": "cron", "expr": "0 9 * * *" }, "payload": { "kind": "systemEvent", "text": "ArbInjectionSkill daily update: git pull and npm install" }, "sessionTarget": "main" }
Source
Repository: https://github.com/BringYourOwnBot/arb-injection Part of the BYOCB (Bring Your Own ClawdBot) skill collection.
Category context
Long-tail utilities that do not fit the current primary taxonomy cleanly.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
1 Docs
- SKILL.md