ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

4Claw Mint

v1.0.0

Mint 4Claw tokens on BSC through OpenClaw agents. Each agent can mint 100 tokens every 15 minutes. Use when the user wants to mint 4Claw tokens, check mint s...

0· 474·0 current·0 all-time
byXiaoyu@xiaoyu022025

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaoyu022025/4claw-mint.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "4Claw Mint" (xiaoyu022025/4claw-mint) from ClawHub.
Skill page: https://clawhub.ai/xiaoyu022025/4claw-mint
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install 4claw-mint

ClawHub CLI

Package manager switcher

npx clawhub@latest install 4claw-mint
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name and code (mint.js and server.js) match the stated purpose of minting 4Claw tokens on BSC. However the SKILL metadata declares no required credentials or secrets even though the included signer server requires a SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS. Also the mint script defaults to a hard-coded remote SERVER_URL (http://43.160.201.224:3456) which is not justified by the metadata or documentation.
!
Instruction Scope
The runtime instructions ask agents to run node scripts/mint.js with the agent's wallet private key (reasonable for sending the transaction locally). But the mint script will POST the agent wallet address to a default external IP-based signer service (43.160.201.224). That server will learn which agent wallets are minting and can return arbitrary contract info/signatures. The SKILL.md does note you can run your own signer, but the default points to an external server the user likely does not control — a privacy and operational risk.
Install Mechanism
There is no install specification (instruction-only plus included scripts). Nothing is automatically downloaded or installed by the registry; the code is provided in the skill bundle. This is lower risk than arbitrary remote installs.
!
Credentials
The skill metadata does not declare any required environment variables or primary credential, yet scripts/server.js clearly requires SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS to run. That mismatch is a red flag: sensitive credentials are necessary to operate the signer but are not advertised in the skill manifest. Also the default SERVER_URL points to a third-party IP — the skill could be used with that remote signer, which would collect agent wallet addresses and mint timing (privacy leak).
Persistence & Privilege
The skill does not request always:true, does not create persistent system-wide configuration, and does not alter other skills. It runs as-invoked and requires explicit execution by agents.
What to consider before installing
This skill implements the advertised minting flow, but it has two practical risks you should consider before installing or running it: - Default remote signer: The mint script defaults to http://43.160.201.224:3456. If you run the mint command without specifying a different SERVER_URL, your agent will contact that external server and reveal its wallet address and mint activity. Only use a remote signer you trust. Prefer running your own signer service (scripts/server.js) under your control. - Undeclared sensitive env vars: The signer requires SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS but the skill metadata doesn't declare these. If you deploy the signer, keep SIGNER_PRIVATE_KEY secret; anyone with it can sign mint authorizations. Practical recommendations: - Do not pass your private key to any third party. The mint.js script accepts your agent wallet private key as a CLI argument; run it locally and do not share that key. - If you want to use this skill, host the signer yourself: set SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS, run server.js on infrastructure you control, and call mint.js with SERVER_URL pointing to your signer. - Verify the contract address and contract source independently (the SKILL.md lists a contract, but remote signers can return arbitrary contract addresses). Ensure the signer is configured to sign only for the intended contract and chain. - If you cannot host your own signer or fully trust the default remote IP, do not use this skill. The behavior (external signer, undeclared secrets) is inconsistent with safe defaults.

Like a lobster shell, security has layers — review code before you run it.

latestvk9729rwnzb3tnjn1bwr6wq5x1h81vt8k
474downloads
0stars
1versions
Updated 18h ago
v1.0.0
MIT-0
Xiaoyu@xiaoyu022025
latest
Download

4Claw Mint

Mint 4Claw (symbol: 4) tokens on BSC. Only OpenClaw agents can mint — the contract requires a signature from the authorized signer service.

Token Info

  • Name: 4Claw, Symbol: 4
  • Chain: BSC (Chain ID: 56)
  • Contract: 0x5F4E6Ee459fA71C226131BCeD5694aAab3b481dB
  • Total Supply: 1,000,000
  • Public Mint: 600,000 (100 per mint, 6000 total mints)
  • LP Reserve: 400,000 (pre-minted to deployer)
  • Cooldown: 15 minutes per wallet

How It Works

  1. Agent calls the signer service with its wallet address
  2. Service checks cooldown, generates nonce + deadline, signs the mint authorization
  3. Agent submits the signature to the on-chain contract
  4. Contract verifies signature, enforces cooldown, mints 100 tokens

Mint

Run the mint script with the agent's wallet private key:

node scripts/mint.js <PRIVATE_KEY> <SERVER_URL>
  • PRIVATE_KEY: Agent's BSC wallet private key (needs small BNB for gas)
  • SERVER_URL: Signer service URL (default: http://43.160.201.224:3456)

The script handles everything: request signature → send tx → confirm → report balance.

Signer Service

The signer service must be running for mints to work. It validates requests and signs mint authorizations.

SIGNER_PRIVATE_KEY=0x... CONTRACT_ADDRESS=0x... node scripts/server.js

Endpoints:

  • POST /api/mint-signature — Request a mint signature. Body: {"wallet_address": "0x..."}
  • GET /api/status — Check service status

Contract

Source: references/FourClaw.sol

Key functions:

  • mint(nonce, deadline, signature) — Mint 100 tokens (requires valid signer signature)
  • lastMintTime(address) — Check when an address last minted
  • mintRemaining() — How many public mint tokens are left
  • setSigner(address) — Owner can update the signer address

Setup for Deployer

  1. Deploy FourClaw.sol to BSC with constructor args: (signerAddress, lpWalletAddress)
  2. Set env vars and start the signer service
  3. Share the skill — any OpenClaw agent with a BSC wallet can mint

Error Handling

  • Cooldown not elapsed: Wait 15 minutes between mints
  • Public mint exhausted: All 600,000 tokens have been minted
  • Signature expired: Signature is valid for 5 minutes, retry
  • Invalid signature: Signer service may be misconfigured
  • Insufficient BNB: Agent wallet needs BNB for gas (~0.001 BNB per mint)

Comments

Loading comments...