ClawHub

Gotchi Finder

v1.2.1

Fetch Aavegotchi by ID from Base mainnet and display image with full traits. Shows on-chain SVG, converts to PNG, and displays complete gotchi stats.

0· 649·2 current·2 all-time
by@aaigotchi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (fetch gotchi on Base, display image/stats) matches the code and declared requirements: ethers + sharp usage, RPC endpoint, scripts to fetch on-chain SVG and convert to PNG. Required binaries (node, npm, jq) and optional BASE_MAINNET_RPC are appropriate for this functionality.
Instruction Scope
SKILL.md and shell entrypoints explicitly instruct the agent to run the included scripts, produce JSON/SVG/PNG outputs, and emit a caption+PNG for messaging. The scripts only read/write files inside the skill output path, call public RPC/subgraph/website endpoints, and do not attempt to read unrelated system files or secret env vars.
Install Mechanism
There is no automated install spec in the registry (instruction-only), but the repo includes package.json and SKILL.md suggests running 'npm install'. This is not malicious but is a small inconsistency: installation relies on the user running npm install (which will pull ethers and sharp from npm). No downloads from untrusted URLs or extract steps are present.
Credentials
Only BASE_MAINNET_RPC is requested/used (and a default RPC is provided). No credentials, keys, or unrelated environment variables are required. Network calls are limited to expected public endpoints (Base RPC, aavegotchi API, and a Goldsky subgraph).
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system-wide config, and only writes files to its working/output directories. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.
Assessment
This skill appears to do exactly what it claims: read public gotchi data from Base and convert on-chain SVGs to PNGs. Before installing, consider: 1) Run npm install in a sandboxed environment (it will pull ethers and sharp from npm). 2) The skill will make outbound requests to the declared endpoints (Base RPC, api.aavegotchi.com, and api.goldsky.com subgraphs); if you set BASE_MAINNET_RPC to a custom endpoint, that endpoint will receive read queries — do not point it at untrusted services. 3) The scripts write JSON/SVG/PNG files to the chosen output directory — avoid setting the output directory to important system paths. 4) If you require maximum assurance, review the package.json dependency versions and the included JS scripts (they are short and readable) and run them in an isolated environment. Overall, nothing in the bundle indicates credential exfiltration or unrelated privileged behavior.

Like a lobster shell, security has layers — review code before you run it.

aavegotchivk971j1hj99ep5yzsvtaxe2tdb181b5e0basevk971j1hj99ep5yzsvtaxe2tdb181b5e0latestvk97fdtmzqkc1emca2s80nw8qfd82cnpvnftvk971j1hj99ep5yzsvtaxe2tdb181b5e0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm, jq
EnvBASE_MAINNET_RPC

Comments