DECK-0

v1.0.1

Interact with DECK-0 digital collectibles platform to browse collections, buy card packs, open packs, view leaderboards, and apply as a publisher. Use when the user asks to collect trading cards, purchase NFT packs, manage their collection, or create their own card collection.

⭐ 0· 710·0 current·0 all-time

by@signorcrypto

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (DECK-0 digital collectibles: browse, buy, open packs, publish) match the required tooling: a signer for EIP-191 auth / on-chain transactions and CLI tooling (cast, curl, jq, shasum) used in the provided shell examples. Nothing requested (binaries, env vars) appears unrelated to the stated functionality.

✓

Instruction Scope

SKILL.md and the included docs only instruct the agent to call the DECK-0 API endpoints, construct canonical payloads, sign them, and perform on-chain calls (mintPacks/openPacks). Examples reference only the declared env var and standard temp files; there is no instruction to read unrelated system files or exfiltrate data. The docs explicitly recommend using runtime-provided wallets and treating DECK0_PRIVATE_KEY as a sensitive fallback.

✓

Install Mechanism

Instruction-only skill with no install spec and no downloaded artifacts. It asks the user to ensure Foundry/cast is available (via standard package managers like Homebrew) and to have curl/jq/shasum — this is low-risk and proportionate.

ℹ

Credentials

Only a single environment variable is declared: DECK0_PRIVATE_KEY (primary credential). This is expected for a fallback signing mode, but it's highly privileged — possession of this key allows signing transactions and spending the user's funds. The skill documents this sensitivity and recommends runtime wallets first, which is appropriate.

ℹ

Persistence & Privilege

The skill is not always-enabled and has no install hooks, which limits persistence. However, if DECK0_PRIVATE_KEY is set in the agent environment, the agent (which can invoke skills autonomously by default) could sign and send on-chain transactions without further prompts. The SKILL.md recommends explicit user approval for using the private key, but that policy isn't technically enforced by the docs — treat the env var as a powerful capability.

Assessment

This skill appears coherent for interacting with the DECK-0 platform, but it can use a private key (DECK0_PRIVATE_KEY) as a fallback signer — that key can sign real blockchain transactions and spend funds. Prefer using the runtime-provided wallet signer (hardware or managed wallet) and avoid setting DECK0_PRIVATE_KEY in the environment unless you explicitly trust this skill and understand the risk. If you must provide a key: (1) use an ephemeral or tightly-scoped wallet with minimal funds, (2) never paste keys into chat, (3) remove the env var immediately after use, and (4) monitor the wallet for unexpected transactions. If you want stronger safety, require manual approval before any transaction or use a hardware/runtime signer so the agent cannot sign transactions autonomously.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🃏 Clawdis

Binscast, curl, jq, shasum

EnvDECK0_PRIVATE_KEY

Primary envDECK0_PRIVATE_KEY

latestvk979jbxhd7eekrxncvxnx52twd8105ya

710downloads

0stars

2versions

Updated 1mo ago

v1.0.1

MIT-0

DECK-0 Agents API

Overview

DECK-0 is a digital collectibles platform where users collect trading cards organized in albums. This skill enables agents to:

Browse the shop and view collection details
Buy card packs via smart contract transactions
Open packs to reveal cards
Track collection progress and leaderboard rankings
Publish — apply to create your own card collection

Base URL: https://app.deck-0.com OpenAPI Spec: GET /api/agents/v1/openapi (no auth required)

Setup

Wallet Source Priority

Use this wallet resolution order when signing API requests or sending transactions:

Existing agent wallet provided by the runtime
Existing Base wallet provided by the runtime
DECK0_PRIVATE_KEY fallback (only when neither wallet above exists)

Fallback setup for step 3:

export DECK0_PRIVATE_KEY="0x..."

Optional fallback chain override (used only for API auth signature verification; contract operations use the chain from the collection/price response and your RPC selection):

export DECK0_CHAIN_ID=8453

Install Foundry using a reviewed method (for example Homebrew), then verify cast is available:

brew install foundry
cast --version

Also uses: curl, jq, shasum (standard on macOS/Linux).

Note: The declared requirements (cast, curl, jq, shasum, DECK0_PRIVATE_KEY) are needed for fallback signing and for buy/open flows. Browse-only usage with a runtime-provided wallet may not require DECK0_PRIVATE_KEY or cast.

The wallet needs native tokens (APE on Apechain, ETH on Base) to buy packs.

Security Notes

Prefer runtime-provided wallets whenever available.
DECK0_PRIVATE_KEY is highly sensitive. Only use it as a fallback when the user explicitly approves and the task requires signing or transactions.
Never print, log, or echo private key values.

Quick Reference

Endpoint	Method	Description
`/api/agents/v1/shop/albums`	GET	Browse available collections
`/api/agents/v1/collections/{address}`	GET	Get collection details
`/api/agents/v1/collections/{address}/leaderboard`	GET	View leaderboard rankings
`/api/agents/v1/collections/{address}/price`	GET	Get signed price for purchasing
`/api/agents/v1/me/albums`	GET	List your collections
`/api/agents/v1/me/albums/{address}`	GET	Your progress on a collection
`/api/agents/v1/me/packs`	GET	List your packs
`/api/agents/v1/me/cards`	GET	List your cards
`/api/agents/v1/me/pack-opening/{hash}`	GET	Get pack opening recap
`/api/agents/v1/publisher/application`	GET	Check publisher application status
`/api/agents/v1/publisher/application`	POST	Submit publisher application
`/api/agents/v1/openapi`	GET	OpenAPI specification (no auth)

See endpoints.md for complete request/response schemas.

Authentication

All endpoints (except /openapi) require EIP-191 wallet-signed requests via custom headers:

Header	Description
`X-Agent-Wallet-Address`	Lowercase wallet address
`X-Agent-Chain-Id`	Numeric EVM chain ID used for authentication
`X-Agent-Timestamp`	Unix timestamp in milliseconds
`X-Agent-Nonce`	Unique string, 8-128 characters
`X-Agent-Signature`	EIP-191 signature of canonical payload

The canonical payload to sign:

deck0-agent-auth-v1
method:{METHOD}
path:{PATH}
query:{SORTED_QUERY}
body_sha256:{SHA256_HEX}
timestamp:{TIMESTAMP}
nonce:{NONCE}
chain_id:{CHAIN_ID}
wallet:{WALLET}

See auth.md for the full signing flow with code examples.

Smart Contracts

Buying and opening packs are on-chain operations:

Buy packs: Call GET /api/agents/v1/collections/{address}/price to get a signed price, then call mintPacks() on the album contract with the signature and payment value.
Open packs: Call openPacks(packIds) on the album contract to reveal cards, then poll GET /api/agents/v1/me/pack-opening/{txHash}?chainId=... every 5 seconds to get the recap with card details and badges.

Payment formula: value = (packPrice * priceInNative * quantity) / 100

See smart-contracts.md for ABI, payment calculations, and code examples.

Supported Networks

Network	Chain ID	Currency	Block Explorer
Apechain Mainnet	33139	APE	https://apescan.io
Base	8453	ETH	https://basescan.org

Response Format

All responses follow a standard envelope:

// Success
{ "success": true, "data": { ... }, "share": { "url": "...", "imageUrl": "..." } }

// Error
{ "success": false, "error": { "code": "AGENT_...", "message": "...", "details": { ... } } }

See errors.md for all error codes and troubleshooting.

Sharing URLs

Most responses include URLs that link to the DECK-0 web app. Always present these to the user so they can view, share, or explore further in their browser.

share.url — Present on most responses. Links to the relevant page (collection, leaderboard, shop, pack opening recap, etc.). Show this to the user as a shareable link.
share.imageUrl — When available, an image preview URL (e.g., collection cover). Can be used for rich embeds or previews.
data.cards[].url — On pack opening recap responses, each card includes a direct link to its detail page. Show these to the user so they can view or share individual cards.

Rate Limits

Per wallet: 60 requests/minute
Per IP: 120 requests/minute

Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After) are included on 429 responses.

Intent Mapping

When the user says:

"Show me available card collections" → Browse shop albums
"Tell me about collection 0x..." → Get collection details
"Buy 3 packs from collection 0x..." → Get signed price, call mintPacks
"Open my packs" → Call openPacks on contract, then poll pack opening recap
"What cards did I get?" / "Show my pack opening results" → Get pack opening recap
"How's my collection progress?" → Get my albums
"Show my packs" / "What packs do I have?" → List my packs
"Show my cards" / "What cards do I have?" → List my cards
"Show the leaderboard" → Get collection leaderboard
"Share my pack opening" / "Show me the link to my card" → Use share.url or cards[].url from the response
"I want to create my own card collection" → Submit publisher application

Supporting Files

auth.md — Full authentication flow, signing code, payload construction
endpoints.md — Complete API reference with all request/response schemas
smart-contracts.md — On-chain operations: minting packs, opening packs, ABI, code examples
examples.md — End-to-end workflow examples with request/response pairs
errors.md — Error codes, rate limiting, troubleshooting

Comments

Loading comments...