ClawHub

Gotchi Equip

v1.0.3

Equip, unequip, and inspect Aavegotchi wearables on Base via Bankr submissions.

0· 650·2 current·3 all-time
by@aaigotchi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (node, jq, curl), and the single required env var (BANKR_API_KEY) match the implementation: scripts build an ABI calldata with the local Node module and submit a transaction to Bankr. The external endpoints used (Bankr submission endpoint and a Base subgraph URL) are coherent with the declared functionality.
Instruction Scope
Runtime instructions and scripts limit actions to: validating gotchi IDs, querying a Base subgraph for current wearables, constructing calldata via lib/equip-lib.js (uses viem), and posting the prepared transaction JSON to https://api.bankr.bot/agent/submit. The scripts also attempt to resolve BANKR_API_KEY from env, systemctl --user, or two ~/.openclaw bankr config paths — this cross-skill config lookup is expected for convenience but is broader than purely reading the environment variable alone.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The package.json and package-lock.json list 'viem' as a dependency; the scripts assume node can require the local lib and that dependencies are installed. This is not malicious but you may need to run npm install locally for node to resolve 'viem' before the Node helper scripts work.
Credentials
Only BANKR_API_KEY is requested. The scripts attempt to obtain the key from BANKR_API_KEY env, systemctl --user environment, or bankr config files under ~/.openclaw; these are consistent with needing an API key to submit via Bankr and do not request unrelated secrets or multiple credentials.
Persistence & Privilege
always is false, the skill does not modify other skills or system configuration, and it does not request persistent elevated privileges. It writes temporary files under /tmp and cleans them up; no persistent credentials are stored by the skill itself.
Assessment
This skill appears to do exactly what it says: it queries a Base subgraph for your gotchi's current loadout, builds the full 16-slot calldata locally (via lib/equip-lib.js), and submits the transaction payload to Bankr using your BANKR_API_KEY. Before installing/using it: 1) Verify you trust the external endpoints (https://api.bankr.bot and the SUBGRAPH_URL) because transaction submission and subgraph queries go to those services. 2) Be aware the scripts will try to read BANKR_API_KEY from your environment, systemctl --user variables, or bankr config files under ~/.openclaw — if you prefer not to store keys there, set BANKR_API_KEY only in the environment when running. 3) Run npm install in the skill directory if you want Node to resolve the 'viem' dependency before invoking the scripts. 4) Treat your Bankr API key like any wallet/API secret: limit its scope, rotate it if exposed, and test with a non-critical account or dry-run if possible. 5) If you need higher assurance, review the skill's repository on GitHub and confirm the Bankr endpoint and subgraph URL are legitimate and unchanged.

Like a lobster shell, security has layers — review code before you run it.

latestvk9794885v9xeeq8r8xzjyheewx82ddaz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, jq, curl
EnvBANKR_API_KEY

Comments