Back to skill
Skillv0.3.0
ClawScan security
superrare-mint · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 3:08 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime behavior align with its stated purpose (upload media to SuperRare and submit mint transactions via Bankr); requested binaries and the single required credential are proportionate to that goal.
- Guidance
- This skill appears to do what it says: upload media to SuperRare and submit mints via the Bankr agent. Before installing or running it, decide whether you trust the Bankr API key you will supply and the Bankr API endpoint (default https://api.bankr.bot). Note the script will search several local paths (e.g., ~/.bankr/config.json, ~/.openclaw/..., and systemctl --user environment) to find BANKR_API_KEY and may read a sibling superrare-deploy receipts directory to auto-resolve deploy receipts — ensure those locations contain only data you expect to be read. Broadcasting a mint requires explicit --broadcast or DRY_RUN=0; by default the skill is safe as a dry-run. If you plan to broadcast, double-check the resolved contract address, chain, and calldata before proceeding.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (cast, jq, curl, node), and the BANKR_API_KEY primary credential match the code and instructions: the scripts build calldata (cast), call Bankr (curl), manipulate JSON (jq), and upload media/pin metadata (node). Required files and config paths are consistent with a minting workflow.
- Instruction Scope
- okThe SKILL.md and scripts limit actions to: reading local config/receipts, uploading media/metadata to the declared SuperRare API, calling Bankr's agent/submit endpoint, and polling a chain RPC via cast. There are no instructions to read unrelated system secrets or transmit unrelated data to external endpoints outside the declared services.
- Install Mechanism
- okThere is no install spec — this is script + instruction-based. No remote downloads or archive extractions are used. All runtime logic comes from included scripts.
- Credentials
- noteOnly BANKR_API_KEY is required. The scripts also optionally read RPC URLs and local config/receipt files (including ~/, ~/.openclaw, and sibling superrare-deploy receipts) and attempt to resolve the Bankr key via systemctl or local Bankr config files. This is reasonable for locating the Bankr key but means the skill will look in a few user-owned locations for credentials/config — verify you want those locations checked.
- Persistence & Privilege
- okalways:false and no skill-level permanent modifications are requested. The skill writes mint receipts into its own receipts/ directory only. Autonomous invocation is allowed (platform default) but not combined with elevated privileges here.