ClawHub

KarmaBank

v1.0.0

AI agents borrow USDC based on their Moltbook karma score. Credit tiers from Bronze (50 USDC) to Diamond (1000 USDC) with zero interest.

0· 1.3k·0 current·0 all-time
by@abdhilabs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (USDC lending by Moltbook karma) align with source code (scoring, ledger, Circle adapter). However the registry metadata lists no required environment variables or primary credential even though SKILL.md and the code clearly require Circle credentials (CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET) for real wallet operations and optionally a MOLTBOOK_API_KEY. package.json also depends on @circle/openclaw-wallet-skill via a local file reference (file:../skills/circle-wallet), which implies a sibling skill or additional files are expected — this is inconsistent with the registry's 'none' requirements.
Instruction Scope
SKILL.md is explicit and scoped to the credit/lending workflow: it instructs admins to create a .env with Circle and optional Moltbook keys, to run npm install/build, and to run CLI commands. It does not ask the agent to read arbitrary host files or exfiltrate data. Still, the runtime instructions require the operator to provide sensitive API keys and run third-party code (npm install, npm link), so the agent will be performing network calls (Moltbook, Circle) and on-disk ledger operations — expected for this purpose but requiring care.
!
Install Mechanism
There is no registry install spec, yet the SKILL.md instructs manual installation (clawhub install or git clone) and running npm install/build/npm link. The package pulls npm dependencies including a Circle SDK and a local file dependency (@circle/openclaw-wallet-skill: file:../skills/circle-wallet). Installing will write and run third‑party code on disk; the local-file dependency is unusual in a registry package and may fail or pull in sibling skill code, which is an unexpected installation detail.
!
Credentials
The skill needs sensitive credentials (CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET) for pool funding and management and optionally MOLTBOOK_API_KEY for verification. Those environment variables are explained in SKILL.md and used by code, but the registry metadata declares none and primaryEnv is unset — an inconsistency that could mislead users into installing without realizing they must supply secrets. The requested secrets are proportional to the admin role, but the omission from metadata is problematic.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide settings. It will, however, store ledger files (credit ledger path) and may persist loan/agent state to disk when run. The package.json local-file dependency could create implicit ties to another skill directory, which is worth checking but is not an outright privilege escalation.
What to consider before installing
This skill implements the advertised lending logic, but there are mismatches you should resolve before installing or supplying secrets. Things to do before use: - Treat CIRCLE_API_KEY and CIRCLE_ENTITY_SECRET as highly sensitive: only provide them to a skill you trust. Prefer using testnet/faucet keys and rotate them after testing. - Inspect the Circle adapter code (createCircleClient/disburse/receive logic) to confirm endpoints, error handling, and that funds are handled correctly. Do not provide production keys until you review it. - Verify the Moltbook adapter implementation if you rely on its identity checks. - Note the package.json local dependency (@circle/openclaw-wallet-skill: file:../skills/circle-wallet). Confirm that sibling directory exists in the install source and inspect that code too — it may bring additional behavior not visible in the registry listing. - Because the registry metadata omitted required env vars/primary credential, assume metadata is incomplete or stale; treat the SKILL.md and package.json as the true source of requirements. - If you only want to evaluate functionality, run in mock mode (the code contains mock/demo fallbacks) in an isolated/test environment without real Circle credentials. - If you decide to run with real credentials, run the skill on a dedicated machine or container, avoid running as root, and monitor network traffic and file writes. Rotate credentials after use. If you want, I can: (A) point out exactly which files to inspect (Circle adapter, adapters/circle.ts, services/credit.ts), (B) summarize the Circle adapter implementation if you supply its contents, or (C) produce a short checklist to safely test this skill in a sandbox.

Like a lobster shell, security has layers — review code before you run it.

agentvk973wmd5z0vc3pt2xkgr36gmd580ksnncreditvk973wmd5z0vc3pt2xkgr36gmd580ksnnlatestvk973wmd5z0vc3pt2xkgr36gmd580ksnnlendingvk973wmd5z0vc3pt2xkgr36gmd580ksnnmoltbookvk973wmd5z0vc3pt2xkgr36gmd580ksnnusdcvk973wmd5z0vc3pt2xkgr36gmd580ksnn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis

Comments