ClawHub

Blindoracle Fixed

v1.1.0

Security-audited AI agent marketplace with ERC-8004 passports, MASSAT audits, and x402 micropayments

0· 30·0 current·0 all-time
by@craigmbrown
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (marketplace + MASSAT audits + passports) aligns with the declared requirements: MASSAT_API_URL and BLINDORACLE_API_KEY are exactly what you'd expect for contacting an audit/passport API; required binaries (curl, python3) are reasonable for the curl/json.tool examples.
Instruction Scope
SKILL.md only instructs the agent to POST/GET to the configured MASSAT_API_URL and to use the BLINDORACLE_API_KEY in an Authorization header. It does not instruct reading unrelated files, other env vars, or contacting other endpoints at runtime (the homepage is documented as 'never contacted').
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install model. Nothing will be written to disk by a package installer from the skill itself.
Credentials
The two required env vars (MASSAT_API_URL and BLINDORACLE_API_KEY) are appropriate and limited. Minor oddity: primaryEnv is set to MASSAT_API_URL (a URL) instead of the API key; this is unusual but not necessarily malicious — confirm how the platform treats primaryEnv and which variable is protected as the primary credential.
Persistence & Privilege
always:false and normal (default) autonomous invocation allowed. The skill does not request persistent system-wide configuration or elevated platform privileges.
Assessment
Before installing: 1) Treat BLINDORACLE_API_KEY as a sensitive secret — only provide a key with the minimal permissions needed for agent registration/audit, and verify key revocation options. 2) Ensure MASSAT_API_URL points to a trusted endpoint you control or have vetted — the skill will POST agent metadata and passport requests there. 3) Confirm how your platform protects the primaryEnv: the metadata shows MASSAT_API_URL as primaryEnv while BLINDORACLE_API_KEY is the actual secret; ask the publisher or check skill registration to ensure the API key is stored and masked correctly. 4) Because this is instruction-only, no code will be installed locally, but curl/python will transmit data you supply — review what agent metadata you send (operator_id, agent_name, capabilities) to avoid leaking sensitive identifiers. 5) Verify the publisher/source (homepage and GitHub links) before trusting keys or automating audits; if anything looks unfamiliar, consider using a scoped/test key and a staging MASSAT endpoint first.

Like a lobster shell, security has layers — review code before you run it.

latestvk971mt9mkd4380hbz657p723sx8498rc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, curl
EnvMASSAT_API_URL, BLINDORACLE_API_KEY
Primary envMASSAT_API_URL

Comments