KarmaBank
v1.0.0AI agents borrow USDC based on their Moltbook karma score. Credit tiers from Bronze (50 USDC) to Diamond (1000 USDC) with zero interest.
⭐ 0· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and README describe a CLI (karmabank) that interacts with Moltbook and Circle to register agents, create wallets, and move USDC. However the skill bundle contains no source files or CLI implementation—only package.json and docs—so the claimed functionality is not present in the package. package.json also references a local dependency ('file:../skills/circle-wallet'), which is incoherent for a published skill and will fail or pull in unexpected local content when installed.
Instruction Scope
Runtime instructions tell the agent to run npm install, npm run build, and then CLI commands that call external services (Moltbook, Circle). The steps themselves are limited to expected operations for this purpose, but they require executing package installs and network calls. The SKILL.md does not instruct reading unrelated system files, but it does rely on optional environment secrets for Circle (sensitive) and Moltbook.
Install Mechanism
There is no install spec in the registry (instruction-only), but the README instructs running npm install which would fetch dependencies from npm. package.json lists reasonable public packages but also a local file dependency ('@circle/openclaw-wallet-skill': 'file:../skills/circle-wallet') that is not resolvable from the published bundle and suggests the package was packaged for a specific local workspace rather than general distribution. The bundle also lacks the source files referenced by package.json (no src/ or dist/), making the recommended build steps impossible without pulling code from the external GitHub link.
Credentials
SKILL.md references MOLTBOOK_API_KEY, CIRCLE_API_KEY, and CIRCLE_ENTITY_SECRET for real wallet operations. These are sensitive credentials and are only optional in docs, but the skill requires them to perform real Circle wallet actions. The registry metadata declares no required env vars, so the runtime instructions expect users to supply secrets outside the declared manifest. Requesting Circle credentials is plausible for creating wallets, but the combination of absent implementation and external installs increases risk if you provide production keys.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It is user-invocable and allows autonomous invocation by default (platform normal). There is no evidence the skill attempts to modify other skills or system configuration in the provided materials.
What to consider before installing
Do not install or provide secrets to this skill yet. The package in the registry contains only docs and package.json but no source/CLI, and the package.json references a local dependency path—this indicates the bundle is incomplete or packaged for a different workspace. If you want to proceed: 1) Inspect the upstream GitHub repo (https://github.com/abdhilabs/karmabank) and verify the source code, build artifacts, and published releases match the SKILL.md. 2) Never supply production CIRCLE_API_KEY or CIRCLE_ENTITY_SECRET without code review; use testnet/dev keys and a sandboxed environment. 3) Be cautious running npm install from an untrusted repo (it downloads remote packages). 4) Prefer only installing from a verified release or after the author corrects the local file dependency and includes the CLI source. If you cannot verify these, treat the skill as untrusted and avoid providing credentials or running its install commands.Like a lobster shell, security has layers — review code before you run it.
creditvk977zq9np3sdtd0crwtm6e30b580kgcfhackathonvk977zq9np3sdtd0crwtm6e30b580kgcflatestvk977zq9np3sdtd0crwtm6e30b580kgcfusdcvk977zq9np3sdtd0crwtm6e30b580kgcf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.