ClawHub

AAP Agent Bounty

v1.0.10

Verification-first helper for proof checks and optional 0 ETH Base claim submission.

0· 280·1 current·1 all-time
by@alphac007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (proof checks, claim submission on Base) align with the required binaries (gh for GitHub context, cast for on-chain RPC interaction) and the required env var (BASE_RPC_URL). No unrelated credentials or tools are requested.
Instruction Scope
SKILL.md stays on-scope: it describes checking proof status, preparing a claim payload, and only broadcasting if confirm_broadcast: true. It relies on local GitHub auth (gh) or optional GH_TOKEN and a local signer for cast. Be aware the claim payload includes user identifiers (GitHub username and X handle), so the skill will include and expose those handles in the transaction/payload if used.
Install Mechanism
Instruction-only skill with no install spec or bundled code — lowest-risk install posture (no downloads or extracts).
Credentials
Required env is a single RPC endpoint (BASE_RPC_URL) which is necessary for interacting with Base. GH_TOKEN is optional as a fallback for GitHub auth, which is reasonable. Caution: supplying an RPC URL gives the skill a remote endpoint for broadcasting/reading chain state — ensure you trust the provider and do not supply a malicious/unknown RPC endpoint. Also avoid supplying overly-permissive GH tokens; the skill suggests least-privilege but doesn't enforce scopes.
Persistence & Privilege
The skill is not always-enabled and does not request persistent elevated privileges. Autonomous invocation is allowed by default but the SKILL.md enforces a deterministic gate (confirm_broadcast) before any broadcast, reducing risk of unexpected transactions.
Assessment
This skill is internally consistent with its purpose. Before installing, confirm you have gh and cast installed and that any GH_TOKEN you provide has minimal scopes. Do NOT provide private keys, mnemonics, or broad-scoped secrets. Verify the BASE_RPC_URL points to a trusted Base RPC provider (a malicious RPC could influence signed transactions or responses). When the skill shows the exact transaction command, review it carefully before setting confirm_broadcast: true — broadcasting will consume gas (even for 0 ETH value) and will include the claim payload (GitHub/X handles) on-chain. If you are uncomfortable sharing those handles on-chain, do not confirm broadcast.

Like a lobster shell, security has layers — review code before you run it.

AAPvk97f9530nkp5wv9rtnha6hzc1d82dyb0BASEvk97f9530nkp5wv9rtnha6hzc1d82dyb0ETHvk97f9530nkp5wv9rtnha6hzc1d82dyb0agent-bountyvk97f9530nkp5wv9rtnha6hzc1d82dyb0ai-agentsvk97f9530nkp5wv9rtnha6hzc1d82dyb0claim-to-earnvk97f9530nkp5wv9rtnha6hzc1d82dyb0latestvk972t19e20vw0j32my2z5vcp5982eetconchain-rewardsvk97f9530nkp5wv9rtnha6hzc1d82dyb0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgh, cast
EnvBASE_RPC_URL

Comments