TheRoaster
v1.0.1Generate short, funny roasts for social bots with safety filters; free tier allows limited daily use, paid plans increase quota via on-chain entitlement.
⭐ 0· 1.2k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The SKILL.md (and README) describe a roast-generation API and on-chain entitlement flow; everything requested (HTTP endpoints, contract address, pricing) matches that purpose. There are no unexpected env vars, binaries, or installs required by the skill.
Instruction Scope
Instructions are limited to calling the Roaster API, checking on-chain entitlements, building unsigned transactions, and obtaining API keys. The doc explicitly warns agents not to perform wallet functions without human confirmation. This is appropriate for the stated purpose, but the presence of ‘No UI required’ and transaction-building endpoints means an agent with wallet access could perform purchases if allowed — ensure human confirmation is enforced by policy.
Install Mechanism
No install spec and no code files are included (instruction-only). Nothing is written to disk or fetched during install by the skill itself, which minimizes install-time risk.
Credentials
The skill does not request any environment variables, keys, or system paths. The README notes the service uses the OpenAI API server-side, but the skill does not ask users to provide OpenAI credentials. No disproportionate credential requests are present.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). Combined with endpoints that build unsigned transactions and the requirement to save API keys immediately, this raises a user-administration consideration: do not grant the agent access to any private wallet signing keys or automated signing capability. The skill itself does not request such keys.
Assessment
This skill is internally consistent for a roast-generator service. Before installing: 1) verify the domain (https://theroaster.app) and the on‑chain contract address if you plan to purchase plans; 2) never give the agent private wallet keys or an automated signer — treat any purchase flow as requiring explicit human confirmation; 3) if an api_key is issued, store it in your agent's secure secret store (the SKILL.md warns the key is shown only once); 4) confirm your agent’s policies prevent it from automatically signing or broadcasting transactions; and 5) if you need extra assurance, test only using the free tier first.Like a lobster shell, security has layers — review code before you run it.
latestvk97c0bjh4jbarf8w3tda3054vh80s6zw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.