MintGarden
v1.0.0Browse and search Chia NFTs and collections, view stats, trade history, recent sales, trending data, and user profiles via MintGarden API.
⭐ 1· 1.5k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The package, SKILL.md, README, and source files consistently implement a MintGarden API client and CLI for searching collections, NFTs, profiles, events, and stats. The code calls the MintGarden API (https://api.mintgarden.io) and exposes CLI commands matching the documented commands. No unrelated services, cloud credentials, or binaries are requested.
Instruction Scope
Runtime instructions (SKILL.md) describe CLI/agent usage and an optional MINTGARDEN_API_URL env var. The code implements the documented API client and command handling. Two small scope mismatches: (1) SKILL.md documents an optional MINTGARDEN_API_URL environment variable, but the code (index.js + lib/api.js) does not read process.env.MINTGARDEN_API_URL when constructing the client (the API class accepts a constructor param but index.js instantiates it with no env var), so the documented env var is ineffective; (2) SKILL.md mentions Telegram integration; the code provides CLI/handleCommand functions but contains no direct Telegram bot code — Telegram support is expected to be provided by the surrounding Clawdbot/agent platform. Neither mismatch indicates malicious behavior but they are usability/integration inconsistencies.
Install Mechanism
There is no platform install spec (install is not auto-declared), but an install.sh and package.json are included. install.sh runs npm install --production and is straightforward. Dependencies are standard (axios). No downloads from arbitrary URLs, no archives extracted, and no exotic install steps were used.
Credentials
The skill declares no required environment variables or credentials, and the code does not request secrets. The only network target is the public MintGarden API. The SKILL.md optional environment variable (MINTGARDEN_API_URL) is not actually consumed by the code, an inconsistency but not a credential risk.
Persistence & Privilege
The skill does not request persistent elevated privileges or 'always' inclusion. It is a normal runtime skill (user-invocable, agent-invocable). It does not modify other skills or system-wide config. Installation writes typical node modules only if you run npm install.
Assessment
This skill appears to do what it says: a MintGarden API client/CLI that talks to https://api.mintgarden.io. Before installing, consider:
- The SKILL.md mentions an optional MINTGARDEN_API_URL env var, but the shipped index.js constructs MintGardenAPI() without reading process.env; if you need to point the skill at a different base URL you would need to modify the code or the constructor call.
- The CLI lowercases incoming commands (index.js lowercases the entire input). That could alter case-sensitive IDs or metadata in some edge cases (verify behavior with your IDs).
- Telegram integration is referenced in docs but not implemented in the code — expected to be provided by the agent/platform wiring.
- The package requires npm install (and will install axios and its normal transitive deps). Review the package-lock.json and run npm audit if you want to check for dependency vulnerabilities.
- The skill makes outbound network calls to api.mintgarden.io; if you need to restrict network access, run it in an environment that enforces outbound controls.
If these points are acceptable, the code shows no signs of credential exfiltration or contacting unexpected endpoints. If you want stronger assurance, run the skill in a sandbox, inspect network traffic during use, or patch the code to honor a MINTGARDEN_API_URL environment variable if you require a custom endpoint.Like a lobster shell, security has layers — review code before you run it.
latestvk979eb0f63jngyhv9zde660t3h80521s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.