ClawHub

Aavegotchi Baazaar

v0.1.4

View, add, and execute Aavegotchi Baazaar listings on Base mainnet (8453). Buy with GHST directly or buy with USDC using swapAndBuy*. Safety-first: dryRun de...

0· 751·4 current·4 all-time
by@cinnabarhorse
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Aavegotchi Baazaar marketplace actions) match the requested binaries (cast, curl, python3) and the env vars (RPC, contract addresses, subgraph, private key). All required inputs are reasonable for a tool that simulates and broadcasts Ethereum‑style transactions on Base.
Instruction Scope
SKILL.md explicitly limits actions to marketplace flows: fetch subgraph listings, validate inputs, simulate with cast call, and broadcast with cast send only after explicit confirmation. It forbids printing or accepting the PRIVATE_KEY from chat, enforces chain and key/address checks, allows only a small set of HTTPS endpoints, and provides input validation snippets to reduce RCE risk.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes install-time risk because nothing is downloaded or written to disk by the skill itself.
Credentials
PRIMARY credential is PRIVATE_KEY, which is appropriate for broadcasting transactions. The other required env vars (FROM_ADDRESS, RPC, contract addresses, pricing/slippage params, subgraph URL) are proportional to the described functionality.
Persistence & Privilege
always:false (good). The skill is allowed to be invoked autonomously (default). Because it can broadcast transactions if DRY_RUN=0 and BROADCAST_CONFIRM is set, providing a private key grants real operational power — the SKILL.md does mandate user confirmation and safety checks, but users should treat autonomous invocation and an exported PRIVATE_KEY as high‑impact.
Assessment
This skill appears coherent and includes sensible safety rules, but it's high‑impact because it requires a private key. Before installing: (1) Use a dedicated, funded‑minimally EOA (not your main wallet / exchange account). (2) Keep DRY_RUN=1 (default) until you fully test flows. (3) Only set DRY_RUN=0 and BROADCAST_CONFIRM when you intend to broadcast and then unset BROADCAST_CONFIRM immediately after. (4) Verify SUBGRAPH_URL is the canonical endpoint and that the DIAMOND/GHST/USDC addresses are what you expect. (5) The skill runs shell snippets — follow its validation rules and do not paste unvalidated inputs into commands. (6) Consider whether you are comfortable granting an agent with autonomous invocation access to an EOA private key; if not, do not provide PRIVATE_KEY to the environment and only run the skill manually from a safe environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ycdkjdpwnyb3fv2cqv5pvn81kxq3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscast, curl, python3
EnvFROM_ADDRESS, PRIVATE_KEY, BASE_MAINNET_RPC, RECIPIENT_ADDRESS, DRY_RUN, SLIPPAGE_PCT, PAYMENT_FEE_PCT_USDC, GHST_USD_PRICE, DIAMOND, GHST, USDC, SUBGRAPH_URL
Primary envPRIVATE_KEY

Comments