ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aavegotchi 3D Renderer

v0.1.2

Render Aavegotchi assets by deriving renderer hashes from Goldsky Base core data and calling POST /api/renderer/batch on www.aavegotchi.com. Use when the use...

0· 491·3 current·3 all-time
by@cinnabarhorse
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as a renderer helper and its code performs exactly that: query Goldsky subgraph, derive a renderer hash, POST to Aavegotchi's /api/renderer/batch, poll, and download artifacts. One minor incoherence: SKILL.md and README instruct running the bundled Node script (node scripts/render-gotchi-bypass.mjs) but the registry metadata lists no required binaries — the runtime implicitly requires a Node.js environment (and likely Node 18+ for global fetch). This is a documentation/metadata omission, not evidence of malicious intent.
Instruction Scope
The runtime instructions are narrowly scoped to the stated task: extract tokenId, query a Goldsky subgraph, derive a hash, kick off and verify renders via Aavegotchi's renderer API, poll until availability, and download specified artifacts. The instructions do not request unrelated files, credentials, or unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only with a bundled script). That is low risk, but the bundled script will be executed directly by Node — there is no packaged/verified install step. The script embeds the Goldsky and Aavegotchi endpoints but does not fetch or execute code from arbitrary third-party URLs. Users should be aware the script writes files to disk (default /tmp).
Credentials
The skill declares no environment variables or credentials and the code does not attempt to read secrets. Network access is required to the Goldsky subgraph and aavegotchi.com renderer API, which is appropriate for the stated function.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It only writes output artifacts to a configurable out-dir (default /tmp) and does not attempt to modify other skills or system configuration.
Assessment
This skill appears to do what it says: it queries Goldsky and Aavegotchi APIs, derives a renderer hash, starts/polls renders, and writes artifacts to disk. Before running, note: (1) you need Node.js to execute the bundled script (the metadata omits this requirement); Node 18+ is recommended because the script uses global fetch; (2) the script will make network requests to external services (https://api.goldsky.com and https://www.aavegotchi.com) and will save JSON and image/GLB files (default /tmp) — run it in a controlled environment if you are concerned about disk writes or network traffic; (3) review the script source yourself (it is bundled) if you have any trust concerns. No credentials are requested or transmitted by the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711rdfqv3npppstbmfh58sg181xt8e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments