ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aavegotchi Renderer Bypass

v0.1.0

Render Aavegotchi assets by deriving renderer hashes from Goldsky Base core data and calling POST /api/renderer/batch on www.aavegotchi.com. Use when the use...

0· 530·3 current·3 all-time
by@cinnabarhorse

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cinnabarhorse/aavegotchi-renderer-bypass.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Aavegotchi Renderer Bypass" (cinnabarhorse/aavegotchi-renderer-bypass) from ClawHub.
Skill page: https://clawhub.ai/cinnabarhorse/aavegotchi-renderer-bypass
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install cinnabarhorse/aavegotchi-renderer-bypass

ClawHub CLI

Package manager switcher

npx clawhub@latest install aavegotchi-renderer-bypass
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim (derive renderer hashes from Goldsky Base data and POST to /api/renderer/batch on www.aavegotchi.com) matches the included SKILL.md and the bundled script. The script queries the declared Goldsky endpoint, constructs a hash from returned gotchi fields, posts to the renderer batch API, and downloads artifacts — all expected for this purpose. No unrelated APIs, binaries, or credentials are requested.
Instruction Scope
SKILL.md explicitly instructs to query the Goldsky subgraph, derive the renderer hash, call the renderer batch endpoint, and save JSON/PNG/GLB artifacts to disk. The script implements exactly those steps and does not attempt to read other system files, environment variables, or send data to unexpected third-party endpoints. It does write files to disk (default /tmp) and performs network requests to the two service endpoints described.
Install Mechanism
There is no install specification — this is an instruction-only skill with a single included Node script. No downloads from arbitrary URLs, package installs, or extracted archives occur during install.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the script does not read any secrets or environment variables. All network calls go to the Goldsky subgraph endpoint and www.aavegotchi.com as described.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system-wide agent settings. It runs on demand and writes output only to a user-specified out-dir (default /tmp).
Assessment
This skill appears internally coherent and implements what it says: it fetches a gotchi record from the Goldsky subgraph, derives a renderer hash, calls Aavegotchi's /api/renderer/batch, and saves returned artifacts to disk. Before installing or running, consider: 1) it will make network requests to the two endpoints embedded in the code and write files to your filesystem (default /tmp) — run in a sandbox or container if you want to limit exposure; 2) no credentials are requested, but ensure the endpoints are legitimate and you are comfortable contacting them from your environment; 3) review the script if you will run it in a long-lived or privileged environment — there's a minor implementation bug risk (address normalization in COLLATERAL_MAP may not match and could yield incorrect collateral detection), so validate outputs with a known tokenId first; and 4) expect normal operational risks (rate limits, 404/400 responses) when calling public APIs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fzbxty8x15hrrh55d0cts2d81r6tb
530downloads
0stars
1versions
Updated 15h ago
v0.1.0
MIT-0
@cinnabarhorse
latest
Download

Aavegotchi Renderer Bypass

Render gotchi assets from token data and renderer batch APIs.

Inputs

  • Accept either tokenId or inventory URL with id=<tokenId>.
  • Target Base by default (chainId=8453).

Outputs

  • Return derived renderer hash.
  • Return /api/renderer/batch HTTP status.
  • Save raw batch JSON to disk.
  • Save PNG_Full and PNG_Headshot to disk when available.
  • Return GLB_3DModel availability and URL when present.

Execute

  1. Extract tokenId from direct input or inventory URL.
  2. Query Goldsky Base core subgraph: https://api.goldsky.com/api/public/project_cmh3flagm0001r4p25foufjtt/subgraphs/aavegotchi-core-base/prod/gn
  3. Derive hash in renderer format: <Collateral>-<EyeShape>-<EyeColor>-<Body>-<Face>-<Eyes>-<Head>-<LeftHand>-<RightHand>-<Pet>
  4. Call POST https://www.aavegotchi.com/api/renderer/batch with:
  • verify: true
  • renderTypes: ["PNG_Full", "PNG_Headshot", "GLB_3DModel"]
  1. Download proxyUrls.PNG_Full and proxyUrls.PNG_Headshot.
  2. Return the hash, response, and saved artifact paths.

Command

Run the bundled script:

node scripts/render-gotchi-bypass.mjs --token-id 6741

Or pass an inventory URL:

node scripts/render-gotchi-bypass.mjs \
  --inventory-url "https://www.aavegotchi.com/u/0x.../inventory?itemType=aavegotchis&chainId=8453&id=6741"

Use --out-dir /tmp to control artifact location (default: /tmp).

Return format

Always return:

  1. tokenId
  2. hash
  3. /api/renderer/batch status and raw JSON
  4. PNG_Full and PNG_Headshot output paths (or missing reason)
  5. GLB_3DModel URL or availability.exists=false

Troubleshooting

  • If Goldsky returns no gotchi, verify tokenId and Base context.
  • If batch returns hash-format 400, verify eye mappings and left/right wearable order.
  • If availability.exists is false, rerun batch to trigger render and poll again.
  • If endpoint returns 404, verify production deployment state.

Comments

Loading comments...