Gotchi Channeling
v0.2.0Channel Aavegotchis on Base via Bankr. Checks cooldown, builds calldata, and submits channel txs safely.
⭐ 0· 577·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match what the code does: scripts build calldata, query cooldowns via RPC, and submit transactions to Bankr. Required binaries (cast, jq, curl) and the BANKR_API_KEY credential are appropriate and expected for this functionality.
Instruction Scope
Runtime instructions and scripts generally stay within the stated domain (RPC queries, calldata construction, Bankr POST). However the repository contains contradictory documentation about whether a backend signature is required: references/FUNCTION_SIGNATURE.md says a backend signature is a blocker, while scripts (channel.sh) build calldata with lastChanneled=0 and signature=0x and submit it to Bankr. This inconsistency could cause unexpected failed transactions or silent logic errors. The scripts also search for BANKR_API_KEY in systemctl and other local skill config files (~/.openclaw/skills/bankr/config.json and ~/.openclaw/workspace/skills/bankr/config.json) — that is explained in SKILL.md but does mean the skill will read other local skill configs to resolve credentials.
Install Mechanism
No install spec; this is instruction+script based and does not download or execute remote archives. That keeps installation risk low. The skill does execute network calls (Bankr API) at runtime, which is expected.
Credentials
Only BANKR_API_KEY is required (declared as primaryEnv), which is proportionate. The code will also try to recover the key from systemd user environment and other local bankr config files; reading other local skill config files is justified for key resolution but is a behavior users should be aware of (it could surface keys stored by a separate Bankr skill).
Persistence & Privilege
Skill does not request 'always: true' or any elevated platform privileges and does not modify other skills' configs. It runs as a user-invoked/autonomously-invokable script (default), which is expected for this type of automation.
What to consider before installing
This skill mostly does what it says (checks cooldowns, builds calldata, and posts transactions to Bankr), and asking for BANKR_API_KEY is appropriate. Before installing or automating: 1) Test manually: run ./scripts/check-cooldown.sh and ./scripts/channel.sh for one pairing to confirm a successful end-to-end flow and inspect the Bankr response and Base tx on Basescan. 2) Verify the contract ABI yourself — some files in the repo claim a backend signature is required; if the contract enforces a signature, the current approach (0x signature, lastChanneled=0) may fail or be rejected by the chain/backend. 3) Protect your BANKR_API_KEY: the scripts will look for it in systemd and other local skill config files — avoid placing high-privilege keys in shared/global config files. 4) Review the Bankr API endpoint (https://api.bankr.bot/agent/submit) and its scopes/rate limits and confirm you trust the service to submit transactions on your behalf. 5) Only configure parcels/gotchis you own (repository repeatedly warns about ownership risks). If you need absolute assurance about signature/authorization behavior, ask the maintainer for clarification or check the on-chain contract/official Aavegotchi docs before automating. The inconsistencies in documentation vs. scripts are likely sloppy engineering rather than malicious, but they create real operational risk, so proceed with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk971rm4wk7j2gs288bmfewwar982d5sw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binscast, jq, curl
EnvBANKR_API_KEY
Primary envBANKR_API_KEY