Bobine Contract Caller
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: bobine-contract-caller Version: 0.1.0 The bobine-contract-caller skill bundle is a legitimate utility for interacting with Bobine WebAssembly modules. It provides scripts for Ed25519 key generation (scripts/keygen.mjs) and performing authenticated API calls (scripts/call_bobine.mjs) using a custom binary serialization format. The code uses standard Node.js native modules (node:crypto) and includes explicit safety instructions in SKILL.md advising the AI agent to protect private keys and avoid unauthorized disclosure. No evidence of data exfiltration, obfuscation, or malicious intent was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a private signing key is exposed or misused, someone may be able to make authorized Bobine calls as that session.
The skill intentionally uses an Ed25519 private signing key for authenticated Bobine calls. This is purpose-aligned and disclosed, but the key grants signing authority and must be protected.
`--sigkey`: required when `--auth-module` is provided ... `keygen.mjs` prints secret material ... Treat `sigkey` as sensitive
Only provide signing keys for servers and modules you trust, avoid pasting keys into shared chats or logs, and confirm signed calls before running them.
A signed or state-changing contract call could modify Bobine module state on the selected server.
The script posts arbitrary user-specified module, method, params, and proof-of-work data to a Bobine server. This is exactly the skill's purpose, but contract calls can have side effects depending on the target method.
fetch(new URL("/api/execute", server), { method: "POST", body })Review the target server, module, method, and parameters before execution, especially when using `--auth-module` and `--sigkey`.