ClawHub

Element NFT Trader

v1.0.5

Use when the user wants to sell or buy an NFT on Element, create or accept a bid or offer, query public collection orders or account orders, cancel an Elemen...

1· 93·0 current·0 all-time
by@element-som
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested resources: ELEMENT_API_KEY for the Element API and ELEMENT_WALLET_PRIVATE_KEY to sign on-chain transactions locally. Required binaries (node, jq) and shipped prebuilt JS are consistent with the declared trading functionality.
Instruction Scope
SKILL.md limits operations to trading-related flows, documents required env vars, and enforces confirmation rules for state-changing actions. It does not instruct the agent to read unrelated system files or to exfiltrate secrets in chat; examples run the included entry.js.
Install Mechanism
No network install is required; the skill ships prebuilt JavaScript under scripts/lib/, so nothing is downloaded at install time. This is lower risk than remote downloads or run-time fetches.
Credentials
Only two env vars are required (ELEMENT_API_KEY and ELEMENT_WALLET_PRIVATE_KEY), which is appropriate for an on-chain trading tool. The wallet private key is highly sensitive — the skill expects it in environment variables and will use it to sign transactions locally. The primaryEnv being ELEMENT_API_KEY is reasonable but does not reduce the sensitivity of the private key.
Persistence & Privilege
always:false and default autonomous invocation settings are normal. The runtime enforces confirmed:true for any state-changing operation, reducing risk from automated execution. Nonetheless, granting any skill access to a private key increases blast radius if misused — verify invocation policies and require explicit confirmations before use.
Assessment
This skill appears to do exactly what it says: use the Element API and a locally configured wallet private key to create/buy/accept/cancel orders. Before installing: 1) Use a dedicated low-value wallet for testing and never reuse a primary funds wallet. 2) Understand that the skill requires placing your private key in the environment — consider safer signing options (hardware wallet or a provider/connection flow) if available. 3) Keep autonomous invocation governed by policies you control; although the skill enforces confirmed:true for state changes, verify your agent's settings so the skill cannot run unintentionally. 4) Review the shipped scripts/lib/entry.js and any code that constructs providers (to confirm no unexpected network endpoints or telemetry). 5) Rotate the private key if you stop using the skill or suspect leakage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97470wfww50xsx5njbczhhd1n842thz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvELEMENT_API_KEY, ELEMENT_WALLET_PRIVATE_KEY
Primary envELEMENT_API_KEY

Comments