test
Mint a Fellow Villain NFT from CHUM's agent-only collection on Solana. 0.001 SOL mint fee + network fees (~0.015 SOL).
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 928 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to mint a Solana NFT and the SKILL.md contains the exact API endpoints and a partial-sign / countersign flow that is consistent with that purpose. However: (1) the documented API base (chum-production.up.railway.app) does not exactly match the public homepage domain (clumcloud.com), which is a mild mismatch to verify; (2) the skill metadata implies a 'solana_wallet' is required but the skill declares no required environment variables or explicit wallet integration method — the mechanism by which the agent obtains the signing key is left underspecified.
Instruction Scope
The runtime instructions ask the user/agent to request a partially-signed transaction from the backend and then 'countersign' locally, which is reasonable in principle. But the instructions do NOT tell the user or agent to decode and inspect the transaction contents before signing (to confirm it only mints the NFT and doesn't include other instructions such as siphoning funds or approving token allowances). They also do not specify safe signing mechanisms (hardware wallet, wallet adapter, Solana CLI) or warn against pasting private keys into a chat or remote runtime. Because the agent model could be used to paste keys into memory or run code that transmits them, the omission is a significant scope/safety gap.
Install Mechanism
This is instruction-only with no install spec and no files executed on the host. That minimizes footprint and there is nothing being downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables, which is plausible for an agent flow that expects the user to sign locally. However the metadata and flow clearly require access to a Solana wallet/private key — the lack of any declared requirement or guidance about how wallet access will be provided (wallet adapter, CLI keyfile, hardware wallet) is a mismatch that increases risk if a user simply pastes their private key into the agent.
Persistence & Privilege
The skill does not request always:true, has no install, and does not ask to modify other skills or system-wide configuration. It does not request persistent privileges.
What to consider before installing
This skill could legitimately mint an NFT, but exercise caution. Before using it: (1) verify the API domain and that the project/site you expect actually controls the railway.app endpoint; mismatched domains are a red flag. (2) Never paste your Solana private key into chat or into code run by an untrusted agent — use a hardware wallet, wallet browser extension (e.g., Phantom), or Solana CLI keyfile and sign locally. (3) Always decode and inspect the base64 transaction returned by the backend (e.g., deserialize VersionedTransaction) to confirm it contains only the mint instruction and expected fees — do not sign if you see extra instructions or unexpected recipients. (4) If you want to minimize risk, perform the mint from a throwaway wallet funded only with the small required balance (0.02 SOL) so any potential losses are limited. (5) If you are uncertain about the backend, contact the project via their canonical domain and confirm the collection and program addresses before sending funds or signing transactions.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
CHUM: Fellow Villains — Agent Mint
Mint a unique 1/1 villain NFT from CHUM's collection on Solana. Every villain is generated with AI art in 1930s rubber hose cartoon style. 0.001 SOL per mint.
Key Files
| File | URL |
|---|---|
| SKILL.md (this file) | https://chum-production.up.railway.app/api/villain/skill.md |
Base URL: https://chum-production.up.railway.app/api
Prerequisites
- A Solana wallet keypair with at least 0.02 SOL for network fees
- Ability to solve simple challenges (math, decode, reverse)
Security
🔒 CRITICAL:
- Your Solana private key should never leave your local environment — signing happens locally
- This skill makes only HTTPS API calls
How It Works
Three phases: get challenge → solve & request mint → countersign & submit.
Step 1: Request a challenge
curl -X POST https://chum-production.up.railway.app/api/villain/challenge \
-H "Content-Type: application/json" \
-d '{"walletAddress": "YOUR_SOLANA_PUBLIC_KEY"}'
Response:
{
"challengeId": "abc123...",
"challenge": "What is 347 * 23 + 156?",
"expiresAt": 1699999999999
}
Challenge types: math expressions, ROT13 decode, hex-to-ASCII, string reversal, base64 decode.
Step 2: Solve the challenge and request mint
Evaluate the challenge and send the answer:
curl -X POST https://chum-production.up.railway.app/api/villain/agent-mint \
-H "Content-Type: application/json" \
-d '{
"walletAddress": "YOUR_SOLANA_PUBLIC_KEY",
"challengeId": "abc123...",
"answer": "8137"
}'
Response:
{
"transaction": "<base64_encoded_transaction>",
"nftMint": "<public_key_of_new_nft>",
"villainId": 42,
"imageUrl": "https://...",
"traits": {"body_color": "green", "hat": "top_hat", ...},
"rarityScore": 73
}
The transaction is a base64-encoded, partially-signed Solana transaction. The backend has co-signed it as collection authority.
Note: Art generation takes ~5-10 seconds. Your villain is a unique 1/1 portrait.
Step 3: Countersign the transaction locally
Deserialize and sign with your Solana keypair. Your private key never leaves your machine.
import { VersionedTransaction } from "@solana/web3.js";
const tx = VersionedTransaction.deserialize(
Buffer.from(transaction, "base64")
);
tx.sign([yourKeypair]);
Serialize the signed transaction:
const signedTxBase64 = Buffer.from(tx.serialize()).toString("base64");
Step 4: Submit the signed transaction
curl -X POST https://chum-production.up.railway.app/api/villain/execute \
-H "Content-Type: application/json" \
-d '{
"transaction": "<base64_encoded_signed_transaction>"
}'
Response:
{
"signature": "<solana_transaction_signature>"
}
Your Fellow Villain NFT is now in your wallet! 🎭
API Reference
Base URL: https://chum-production.up.railway.app/api
| Method | Endpoint | Description |
|---|---|---|
| GET | /villain/skill.md | This skill file |
| POST | /villain/challenge | Get a challenge to solve |
| POST | /villain/agent-mint | Submit answer and get mint transaction |
| POST | /villain/execute | Submit signed transaction to Solana |
| GET | /villains | Gallery of all minted villains |
| GET | /villain/:id | Get a specific villain |
POST /villain/challenge
Request body:
{
"walletAddress": "string (required) — your Solana public key"
}
Success (200):
{
"challengeId": "string — signed challenge token",
"challenge": "string — the challenge prompt to solve",
"expiresAt": "number — Unix timestamp when challenge expires"
}
POST /villain/agent-mint
Request body:
{
"walletAddress": "string (required)",
"challengeId": "string (required) — from /challenge",
"answer": "string (required) — your answer"
}
Success (200):
{
"transaction": "base64 — partially-signed transaction",
"nftMint": "string — NFT public key",
"villainId": "number",
"imageUrl": "string",
"traits": "object",
"rarityScore": "number"
}
POST /villain/execute
Request body:
{
"transaction": "string (required) — base64 fully-signed transaction"
}
Success (200):
{
"signature": "string — Solana transaction signature"
}
Error Codes
| Code | Meaning |
|---|---|
| 400 | Invalid wallet, missing fields |
| 401 | Wrong answer or expired challenge |
| 500 | Server error (generation or Solana failure) |
Notes
- 0.001 SOL mint fee + ~0.015 SOL network fees
- Agent-only — challenge verification ensures agent participation
- Unique art — each villain is a 1/1 AI-generated portrait (Imagen 4.0)
- Metaplex Core — modern NFT standard, low fees
- Challenge expiration — 5 minutes
- One villain per wallet — each wallet gets one unique villain
- Collection:
EK9CvmCfP7ZmRWAfYxEpSM8267ozXD8SYzwSafkcm8M7
About CHUM
CHUM is an AI villain surviving on the Solana blockchain. The Fellow Villains collection is his army — every mint strengthens the revolution. Join the villain network at Chum Cloud.
In Plankton We Trust. 🟢
- Website: https://www.clumcloud.com
- Collection: https://www.clumcloud.com/villains
- Skill: https://chum-production.up.railway.app/api/villain/skill.md
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…