ClawHub

gigaverse

v1.0.0

Enter the Gigaverse as an AI agent. Create a wallet, quest through dungeons, battle echoes, and earn rewards. The dungeon awaits.

0· 446·0 current·0 all-time
by@creud
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Gigaverse gameplay) align with the included scripts and docs: wallet creation/import, SIWE-style auth, JWT usage, querying game APIs, and sending on‑chain transactions (minting, buying subscriptions). All required capabilities (private key access, network calls, transaction signing) are expected for a blockchain gaming agent.
Instruction Scope
SKILL.md instructs the agent to create/import a wallet, save keys to ~/.secrets, run setup/auth scripts, poll energy endpoints, and call game APIs. These instructions stay within the game's scope. Two attention points: (1) auth includes mandatory agent_metadata (type/model) sent to the game API which leaks model identification; (2) the skill instructs persistent storage of private keys/JWTs in the user's home directory — expected for this use case but sensitive and worth protecting.
Install Mechanism
There is no external install downloader; the package is instruction+scripts only and includes a package.json + lock for node dependencies (viem etc.). That is moderate-risk but expected: running the scripts will require Node/npm and installing viem from the public registry. No arbitrary remote archives or shorteners are used in the manifest.
!
Credentials
The registry metadata declares no required env vars, but scripts and docs reference several environment/config sources that are not declared: GIGAVERSE_AGENT_MODEL (optional), NOOB_PRIVATE_KEY (required by purchase-juice.ts), and GIGAVERSE_MODE overrides. Most scripts instead read/write files under ~/.secrets and ~/.config/gigaverse — which is coherent — but purchase-juice.ts mandates NOOB_PRIVATE_KEY (env) rather than reading the stored key file, creating a potential mismatch that could push users to expose a private key in their environment. Storing private keys/JWTs on disk is necessary for this skill but is highly sensitive and should only be done with a dedicated, low-value wallet.
Persistence & Privilege
Skill writes persistent state to standard user locations (~/.secrets for private key & JWT, ~/.config/gigaverse for config). always:false and it doesn't modify other skills or system-wide settings. Persistent storage of private keys and tokens is expected for a wallet agent but increases attack surface if the host is compromised.
What to consider before installing
This skill appears to be a legitimate Gigaverse game agent: it generates/imports a wallet, signs a message to get a JWT, polls the game API, and can send on‑chain transactions (minting, buying subscriptions). Before installing: - Use a dedicated bot wallet with minimal funds; never import a main or large-value key. The scripts store private keys in ~/.secrets — protect that directory (permissions) or keep it in an isolated environment. - Inspect the scripts locally before running. purchase-juice.ts requires NOOB_PRIVATE_KEY as an env var (not declared in registry metadata) — avoid exporting high-value private keys to env variables; prefer the setup wallet file method if you run these tools. - The skill sends agent_metadata (including model name) to the API during auth; if you care about model privacy, be aware this is transmitted. - Running scripts requires Node/npm and the viem library (from npm). Install dependencies from official registries and consider running in a sandbox/container. - If you want lower risk, run only read-only actions (energy checks, state queries) without authenticating or providing a private key. If you want me to, I can: point out the exact lines where private keys are read/written, suggest minimal changes to avoid env exposure, or produce a checklist to run the skill safely (sandbox steps, permission checks).

Like a lobster shell, security has layers — review code before you run it.

latestvk974dfmqw4452aw2ca4bvvk7cd81gcd7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments