Bobine Contract Caller
PassAudited by ClawScan on May 10, 2026.
Overview
This skill transparently calls user-specified Bobine contracts and can sign calls with an Ed25519 private key, so it is useful but should be used carefully with keys and state-changing contract methods.
Install only if you intend to call Bobine contracts from this agent. Treat `sigkey` output and inputs as private credentials, verify the server/module/method/params before running signed calls, and be aware that contract methods may change state.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a private signing key is exposed or misused, someone may be able to make authorized Bobine calls as that session.
The skill intentionally uses an Ed25519 private signing key for authenticated Bobine calls. This is purpose-aligned and disclosed, but the key grants signing authority and must be protected.
`--sigkey`: required when `--auth-module` is provided ... `keygen.mjs` prints secret material ... Treat `sigkey` as sensitive
Only provide signing keys for servers and modules you trust, avoid pasting keys into shared chats or logs, and confirm signed calls before running them.
A signed or state-changing contract call could modify Bobine module state on the selected server.
The script posts arbitrary user-specified module, method, params, and proof-of-work data to a Bobine server. This is exactly the skill's purpose, but contract calls can have side effects depending on the target method.
fetch(new URL("/api/execute", server), { method: "POST", body })Review the target server, module, method, and parameters before execution, especially when using `--auth-module` and `--sigkey`.