contract-deployer

The skill's functionality (templated ERC20/ERC721 deployments and interactions) is legitimate but high-risk because it requires signing capabilities and broadcasts irreversible transactions. The primary security concerns are lack of explicit credential handling, no enforced network restrictions, and reliance on policy text (confirmations) without guaranteed technical enforcement. No hard-coded secrets, obfuscated code, or explicit data-exfiltration endpoints were found in the provided material. Recommend enforcing hardware or ephemeral signing, default to testnets, whitelist RPC/explorer endpoints, and require multi-step confirmation for mainnet deployments to reduce risk.