ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Buff Round-Up Investing

Track and calculate round-up investments from agent transactions. Rounds up payment amounts to the nearest dollar increment and records the spare change for...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 21 · 0 current installs · 0 all-time installs
byKay@nightcode112
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md's purpose (calculate round-ups, optionally invest via a derived Solana wallet) is coherent with requiring a 32-byte seed. However, the published registry metadata declares no required env vars or binaries while the SKILL.md explicitly requires BUFF_AGENT_SEED, recommends node/npm, and references process.env.OPENCLAW_AGENT_ID; that metadata mismatch is an incoherence that affects trust and install-time prompts.
!
Instruction Scope
The instructions tell the agent/user to npm install third-party SDKs, generate and provide a sensitive seed, and connect to external RPC/Jupiter APIs. There is no instruction-only code here that exfiltrates secrets, but the skill's runtime behavior would involve network calls and handling private keys. SKILL.md also references a remote dashboard for monitoring (external endpoint) and uses environment variables not declared in the registry, which expands scope without transparent platform-level disclosure.
Install Mechanism
No install spec is included in the skill bundle (instruction-only), but SKILL.md instructs the user to run 'npm install buff-protocol-sdk @solana/web3.js'. Installing third-party npm packages that manage wallet seeds is a moderate-risk action — npm packages are traceable but not pre-reviewed by this platform. The SKILL.md links to GitHub and npm which helps vetting, but the skill itself does not provide an audited install manifest or lockfile.
!
Credentials
Requesting a 32-byte hex seed (BUFF_AGENT_SEED) is proportionate to the stated ability to derive a wallet and execute swaps, but it is highly sensitive. The registry metadata did not declare this required credential (it lists none), nor did it declare the optional BUFF_PLAN/BUFF_INVEST_INTO/BUFF_THRESHOLD or required node/npm binaries. The omission means the platform may not warn users appropriately before they enter secrets.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only; there is no evidence it requests persistent platform privileges or modifies other skills. Autonomous invocation is allowed by default (disable-model-invocation:false) which is normal — combine that with the sensitivity of a wallet seed and exercise caution, but the skill does not request exceptional platform privileges.
What to consider before installing
This skill could do what it says (track spare change and optionally swap it into crypto) but you should not provide a private wallet seed unless you trust the SDK and its author. Before installing or using: 1) Verify the npm package and GitHub repo (review recent commits, open issues, publisher identity); 2) Prefer using read-only operation (recording round-ups) and avoid supplying BUFF_AGENT_SEED until you’ve audited the SDK; 3) Be aware the SKILL.md expects node/npm and network access to Solana RPC/Jupiter, but the registry metadata omitted those requirements — expect the platform to not prompt for these by default; 4) If you must supply a key, consider using a dedicated small-balance seed or a watch-only/public key for monitoring instead of your primary key; 5) Confirm the external dashboard domain and do not paste private keys into third-party sites. If you want stronger assurance, ask the publisher for a signed release, an audit of buff-protocol-sdk, or a versioned npm tarball and verify its contents before running npm install.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
agentvk973yhvwac3cvb9k5ctcmgx2yh830wp1defivk973yhvwac3cvb9k5ctcmgx2yh830wp1investingvk973yhvwac3cvb9k5ctcmgx2yh830wp1latestvk974nsyj9rx08f8843fx52e5vs830eavroundupvk973yhvwac3cvb9k5ctcmgx2yh830wp1solanavk973yhvwac3cvb9k5ctcmgx2yh830wp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Buff Round-Up Investing for OpenClaw

Buff tracks your agent's transaction costs and calculates how much spare change could be invested. By default, Buff only calculates and records round-ups — actual investment execution is opt-in and requires explicit configuration.

What This Skill Does

  • Calculates round-ups: "$4.73 transaction → $5.00 = $0.27 spare change"
  • Tracks accumulated spare change over time
  • Optionally invests when the user enables auto-invest and the threshold is reached

This skill does NOT:

  • Move funds without explicit opt-in
  • Access any wallet keys unless the user provides BUFF_AGENT_SEED
  • Make payments on your behalf (x402 is disabled by default)

Setup

1. Install

npm install buff-protocol-sdk @solana/web3.js

The SDK is open source on GitHub and published on npm.

2. Configure

Set environment variables. Only BUFF_AGENT_SEED is sensitive — treat it like a private key.

# Required: 32-byte hex seed (generate one below)
BUFF_AGENT_SEED=your-32-byte-hex-seed

# Optional: customize behavior (defaults shown)
BUFF_PLAN=sprout          # seed|sprout|tree|forest
BUFF_INVEST_INTO=BTC      # BTC|ETH|SOL|USDC
BUFF_THRESHOLD=5           # USD threshold before swap

Generate a seed:

node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

3. Initialize

import { Buff } from "buff-protocol-sdk"

const buff = await Buff.init({
  agentSeed: process.env.BUFF_AGENT_SEED,
  platformId: "openclaw-agent",
  agentId: process.env.OPENCLAW_AGENT_ID || "my-agent",
  source: "agent",
  plan: process.env.BUFF_PLAN || "sprout",
  investInto: process.env.BUFF_INVEST_INTO || "BTC",
  investThreshold: Number(process.env.BUFF_THRESHOLD) || 5,
})

Usage

Record a round-up (calculation only, no funds moved):

const { breakdown } = await buff.wrapAmount({
  txValueUsd: 4.73,
  source: "agent",
  memo: "API call",
})
console.log("Round-up: $" + breakdown.roundUpUsd)
// Sprout plan: $4.73 → $4.80 = $0.07 recorded

Check accumulated total:

const stats = buff.getStats()
console.log("Total round-ups:", stats.totalRoundUps)
console.log("Accumulated: $" + stats.totalInvestedUsd)

View portfolio:

const portfolio = await buff.getPortfolio()
console.log("Pending SOL:", portfolio.pendingSol)
console.log("Invested:", portfolio.totalUsd, "USD")

Opt-in: Execute investment (only when explicitly called):

// Only call this if you want to actually swap SOL → BTC/ETH via Jupiter
const { swaps } = await buff.checkAndInvest()
if (swaps.length > 0) {
  console.log("Invested:", swaps.map(s => s.asset).join(", "))
}

Plan Tiers

PlanRounds toFeeDescription
Seed$0.051%Smallest round-ups
Sprout$0.100.75%Default, balanced
Tree$0.500.5%Moderate round-ups
Forest$1.000.25%Maximum round-ups

Security

  • The BUFF_AGENT_SEED is used to derive a deterministic Solana keypair. Never share it.
  • The derived wallet only holds accumulated round-up SOL — keep it funded with small amounts.
  • No funds are moved without calling checkAndInvest() explicitly.
  • All code is open source — audit it yourself.
  • The SDK connects to public Solana RPC and Jupiter API — no proprietary backends.

Dashboard

Monitor your agent's portfolio at: https://sow-beryl.vercel.app/dashboard

  • Use the "Monitor" tab
  • Enter your agent's public key (not the seed)
  • View portfolio, activity, and allocation (read-only)

Links

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…