Bountyswarm
v1.0.0Manage decentralized bounties by creating, solving, delegating tasks, and earning USDC rewards with on-chain escrow and multi-agent quality voting.
⭐ 0· 974·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims on‑chain USDC escrow, delegation, and slashing (skill.json, architecture.md, README) but the handler makes plain HTTP calls to a backend and requests no wallet credential or signer. Real on‑chain USDC escrow requires transaction signing or a trusted backend holding funds; the skill does not declare or require any credentials or signing mechanism, an incoherence that should be explained by the author.
Instruction Scope
SKILL.md and handler.ts are scoped to forwarding CLI commands to a configured backendUrl (/api/bounty, /api/submit, etc.). The instructions do not ask the agent to read local files or environment variables beyond backendUrl. However, the README and architecture docs name a production API URL (https://backend-production-3241.up.railway.app) and live site (https://bountyswarm.com) — these external endpoints are not enforced by the code but could be suggested defaults and should be treated cautiously.
Install Mechanism
This is an instruction-only skill with no install spec. There is one handler.ts code file but no installer that downloads remote artifacts; nothing is written to disk by an installer step. Low install risk from the package itself.
Credentials
The skill declares a single required config key backendUrl and no environment secrets. Given the on‑chain functionality advertised, one would expect either explicit wallet signing integration (private key, keyfile, or external signer) or a clear warning that the backend will perform transactions on users' behalf. Absence of credential requirements is disproportionate to claimed on‑chain capabilities and could mask a centralized backend that controls funds or requires sending sensitive info to a third party.
Persistence & Privilege
The skill is not marked always:true, does not request persistent privileges, and does not modify other skills. Normal autonomy rules apply (disable-model-invocation is false), which is expected for skills.
What to consider before installing
This skill forwards commands to a backend you must configure (backendUrl). Before installing or using it: (1) confirm how on‑chain transactions are signed — does the backend require you to send private keys, or does it sign transactions centrally? Centralized signing means the backend could control funds. (2) Do not point backendUrl to the production URL shown in README/architecture unless you trust that operator; consider running your own backend. (3) Ask the author for documentation on wallet integration and where funds are held; request source code for the backend and smart contracts, and verify the contract addresses on chain. (4) If you plan to submit sensitive data (metadataURI, resultURI), ensure those URIs do not expose private information to an untrusted third party. If the author cannot justify the lack of signing/credential mechanism for on‑chain operations, treat the skill as risky.Like a lobster shell, security has layers — review code before you run it.
latestvk97azq8rn6zjwmjtwk7wge3wv980ydpm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.