KarmaBank
v1.0.0AI agents borrow USDC based on their Moltbook karma score. Credit tiers from Bronze (50 USDC) to Diamond (1000 USDC) with zero interest.
⭐ 0· 1.2k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (credit based on Moltbook karma and optional Circle wallet integration) is consistent with dependencies like axios and a Circle wallet library. However, the registry lists no required env vars while the SKILL.md explicitly references sensitive credentials (MOLTBOOK_API_KEY, CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET). That mismatch is unexpected — if Circle integration is intended, those credentials should be declared.
Instruction Scope
SKILL.md tells an agent to run npm install, build, and run CLI commands that will make network calls (Moltbook, Circle) and create wallets — all expected for this purpose — but it does not limit or document what data will be sent. The instructions request optional API secrets and would cause the agent to transmit data externally to third-party services. The README mentions src/ files (scoring, CLI) but those source files are not present in the package manifest, so the runtime behavior is unclear.
Install Mechanism
There is no platform install spec (lowest risk), but the SKILL.md instructs the user/agent to run npm install which will fetch external packages. package.json includes a relative/local dependency: "@circle/openclaw-wallet-skill": "file:../skills/circle-wallet" — a local file dependency that won't be resolvable in many environments and may indicate incomplete packaging or reliance on sibling repo content. That is an inconsistency and operational risk.
Credentials
The skill does not declare any required env vars in the registry metadata but the documentation names sensitive variables (CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET, MOLTBOOK_API_KEY). Requesting Circle secrets is proportionate if the skill performs real wallet operations, but the absence of these from the declared requirements is an inconsistency. Supplying those secrets would grant the code ability to create/use Circle wallets and move funds (or control testnet wallets), so treat them as high-sensitivity.
Persistence & Privilege
The skill is not forced-always-present (always:false) and uses the platform default of allowing model invocation. It does not request system-level persistence or declare edits to other skills. No other privileged flags were set.
What to consider before installing
Do not install or provide secrets yet. Items to check before using or installing: 1) Verify the upstream repository (the SKILL.md points to https://github.com/abdhilabs/karmabank) and inspect the actual source (src/cli.ts, src/scoring.ts, ledger code) — the package you were given lacks those source files. 2) Do not supply CIRCLE_ENTITY_SECRET or CIRCLE_API_KEY unless you fully trust the code; those credentials can allow wallet creation and fund movement. Prefer a testnet-only credential and isolate it. 3) The package.json references a local file dependency (file:../skills/circle-wallet) — ask the author what that is or obtain a release that does not rely on local paths. 4) Run npm install and any execution in a sandboxed environment (isolated VM/container) and review all network calls (Moltbook/Circle endpoints) before exposing sensitive data. 5) If you want to proceed for testing, use mock/demo mode (no API keys) and verify the ledger implementation (.credit-ledger.json) is local and cannot exfiltrate secrets. 6) If the author can provide a complete release (with src files, a published npm package or GitHub release, and explicit required env var declarations), re-evaluate — missing source and undeclared sensitive envs would change the assessment.Like a lobster shell, security has layers — review code before you run it.
creditvk971dtq14jz8tknxs97zd3ewas80jtqvfinancevk971dtq14jz8tknxs97zd3ewas80jtqvhackathonvk971dtq14jz8tknxs97zd3ewas80jtqvlatestvk971dtq14jz8tknxs97zd3ewas80jtqvusdcvk971dtq14jz8tknxs97zd3ewas80jtqv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.