POIDH Bounty Bot

v1.0.3

Post bounties and evaluate/accept winning submissions on poidh (pics or it didn't happen) on Arbitrum, Base, or Degen Chain. Use this skill when the user wan...

⭐ 1· 537·0 current·0 all-time

by@saltorioussig

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for saltorioussig/poidh.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "POIDH Bounty Bot" (saltorioussig/poidh) from ClawHub.
Skill page: https://clawhub.ai/saltorioussig/poidh
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: PRIVATE_KEY, RPC_URL, POIDH_CHAIN
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install saltorioussig/poidh

ClawHub CLI

Package manager switcher

npx clawhub@latest install poidh

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md clearly requires a PRIVATE_KEY, RPC_URL, and POIDH_CHAIN and lists required binaries (cast, python3) to sign and send transactions and to fetch/evaluate claims. Those requirements are coherent with the stated purpose (creating and accepting Poidh bounties). However, the registry metadata reported earlier (no required env vars / no required binaries) contradicts SKILL.md. That mismatch is notable: either the registry metadata is incomplete or the instructions are out-of-date.

Instruction Scope

Runtime instructions direct the agent to use the user's EOA PRIVATE_KEY to sign transactions (cast send --private-key), query the chain, fetch claim URIs (which can be arbitrary external URLs/IPFS/tweets/pages), and evaluate content via vision. Fetching and evaluating arbitrary external content is expected for this task but expands the attack surface (malicious payloads, tracking URLs). Using the raw private key on the agent and passing it as a CLI argument increases exposure (process lists, logs).

ℹ

Install Mechanism

This is an instruction-only skill with no install spec or code files, which minimizes file-system risk. SKILL.md does declare required binaries (cast, python3) but the registry claimed none — the inconsistency should be resolved. No downloads or external installers are present.

Credentials

Requesting a full PRIVATE_KEY and RPC_URL is functionally necessary to post/accept on-chain bounties, but it is a high-privilege secret. The skill does not propose safer alternatives (e.g., signing via a hardware wallet, remote signer, or delegated service). Passing the private key on the command line (as shown) can leak it via process listings or logs. The declared registry metadata failing to list these env vars is an additional red flag.

✓

Persistence & Privilege

The skill is not marked always:true and has no install spec that writes persistent binaries or modifies other skills. Autonomous invocation is allowed (default) but is not, by itself, a new concern; combine that with the private key requirement and fetching external content for higher risk.

What to consider before installing

This skill will need your wallet private key and an RPC URL to operate — both are highly sensitive. Before installing or using it: (1) Confirm with the publisher why the registry metadata omitted the PRIVATE_KEY / RPC_URL / binaries listed in SKILL.md. (2) Prefer safer signing: use a dedicated ephemeral EOA with minimal funds, a remote signer, or hardware wallet rather than pasting your main private key. (3) If you must provide a key, avoid passing it on the command line (the examples do); that exposes it to process listings and logs. (4) Test with very small amounts on the target chain and verify the contract addresses and MIN_BOUNTY_AMOUNT on-chain yourself. (5) Be aware the agent will fetch and evaluate arbitrary external URIs attached to claims — those URIs can host malicious content or tracking. If you are uncomfortable with these risks or cannot use a delegated signer, do not install/enable this skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables

PRIVATE_KEYrequired

RPC_URLrequired

POIDH_CHAINrequired

latestvk9723eq6e17qzpnd8yx7p4fmyh822n7g

537downloads

1stars

4versions

Updated 11h ago

v1.0.3

MIT-0

Overview

This skill interacts with the PoidhV3 contracts on Arbitrum, Base, and Degen Chain to:

Post bounties (solo or open)
Evaluate claim submissions using vision — fetch the image URI from each claim and compare against the bounty description
Accept the winning claim (solo bounty) or initiate + resolve a vote (open bounty)

poidh ("pics or it didn't happen") is a fully on-chain bounty protocol. Claimants submit photo proof, and the bounty issuer (or contributors via vote) accepts the best claim to release funds.

⚠️ The PoidhV3 contract enforces msg.sender == tx.origin. Only EOA wallets can create or accept bounties. Smart contract wallets (Safe, etc.) will revert with ContractsCannotCreateBounties.

Required Environment Variables

Variable	Description
`PRIVATE_KEY`	Private key of the EOA signing transactions (hex, with or without 0x prefix)
`RPC_URL`	RPC URL for the target chain
`POIDH_CHAIN`	Target chain: `arbitrum`, `base`, or `degen`

POIDH_CONTRACT_ADDRESS is resolved automatically from POIDH_CHAIN — do not set it manually.

Supported Chains

Chain	Contract Address	Explorer
Arbitrum	`0x5555Fa783936C260f77385b4E153B9725feF1719`	arbiscan.io
Base	`0x5555Fa783936C260f77385b4E153B9725feF1719`	basescan.org
Degen Chain	`0x18E5585ca7cE31b90Bc8BB7aAf84152857cE243f`	explorer.degen.tips

⚠️ Minimum amounts differ by chain. On Arbitrum and Base: 0.001 ETH minimum bounty, 0.00001 ETH minimum contribution. On Degen Chain: 1000 DEGEN minimum bounty, 10 DEGEN minimum contribution. Always verify on-chain before posting:
cast call $POIDH_CONTRACT_ADDRESS "MIN_BOUNTY_AMOUNT()(uint256)" --rpc-url $RPC_URL
cast call $POIDH_CONTRACT_ADDRESS "MIN_CONTRIBUTION()(uint256)" --rpc-url $RPC_URL

Resolve the contract address at the start of every session:

if [ "$POIDH_CHAIN" = "degen" ]; then
  POIDH_CONTRACT_ADDRESS="0x18E5585ca7cE31b90Bc8BB7aAf84152857cE243f"
else
  # arbitrum and base share the same address
  POIDH_CONTRACT_ADDRESS="0x5555Fa783936C260f77385b4E153B9725feF1719"
fi

The poidh.xyz URL also changes per chain:

if [ "$POIDH_CHAIN" = "arbitrum" ]; then
  POIDH_BASE_URL="https://poidh.xyz/arbitrum"
  POIDH_V2_OFFSET=180
elif [ "$POIDH_CHAIN" = "degen" ]; then
  POIDH_BASE_URL="https://poidh.xyz/degen"
  POIDH_V2_OFFSET=1197
else
  POIDH_BASE_URL="https://poidh.xyz/base"
  POIDH_V2_OFFSET=986
fi

Part 1: Posting a Bounty

Check Minimum Bounty Amount

cast call $POIDH_CONTRACT_ADDRESS "MIN_BOUNTY_AMOUNT()(uint256)" --rpc-url $RPC_URL

Post a Solo Bounty

Solo = only you fund it; you accept claims directly with no vote required.

cast send $POIDH_CONTRACT_ADDRESS \
  "createSoloBounty(string,string)" \
  "<BOUNTY_NAME>" \
  "<BOUNTY_DESCRIPTION>" \
  --value <AMOUNT> \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

Example:

cast send $POIDH_CONTRACT_ADDRESS \
  "createSoloBounty(string,string)" \
  "Brooklyn Bridge at sunset" \
  "High quality photo of the Brooklyn Bridge during golden hour. Must show the full span." \
  --value 0.001ether \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

Post an Open Bounty

Open = others can co-fund; claim acceptance requires a contributor-weighted vote.

cast send $POIDH_CONTRACT_ADDRESS \
  "createOpenBounty(string,string)" \
  "<BOUNTY_NAME>" \
  "<BOUNTY_DESCRIPTION>" \
  --value <AMOUNT> \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

Get the Bounty ID After Posting

cast receipt <TX_HASH> --rpc-url $RPC_URL --json | \
  python3 -c "
import sys, json
receipt = json.load(sys.stdin)
for log in receipt['logs']:
    if log['address'].lower() == '${POIDH_CONTRACT_ADDRESS}'.lower() and len(log['topics']) >= 2:
        bounty_id = int(log['topics'][1], 16)
        frontend_id = bounty_id + ${POIDH_V2_OFFSET}
        print(f'Bounty ID: {bounty_id}')
        print(f'View at: ${POIDH_BASE_URL}/bounty/{frontend_id}')
        break
"

Part 2: Evaluating Claims

When the user wants to pick a winner, the agent must:

Fetch all claims for the bounty
Retrieve each claim's URI from the NFT contract
Fetch and evaluate the content against the bounty description
Pick the best match

Claim submissions are freeform — the URI could point to an image, a video, a tweet, a GitHub PR, a webpage, a document, or anything else. Evaluate whatever you find against what the bounty asked for.

Step 1: Fetch Claims for a Bounty

cast call $POIDH_CONTRACT_ADDRESS \
  "getClaimsByBountyId(uint256,uint256)(tuple(uint256,address,uint256,address,string,string,uint256,bool)[])" \
  <BOUNTY_ID> 0 \
  --rpc-url $RPC_URL

Returns up to 10 claims (most recent first). Increment offset by 10 to paginate. Each claim tuple: (id, issuer, bountyId, bountyIssuer, name, description, createdAt, accepted)

The name and description fields on the claim are also set by the claimant and may give useful context about what they submitted.

Step 2: Get the URI for Each Claim

# Get NFT contract address
NFT_ADDRESS=$(cast call $POIDH_CONTRACT_ADDRESS "poidhNft()(address)" --rpc-url $RPC_URL)

# Get token URI for a specific claim
cast call $NFT_ADDRESS "tokenURI(uint256)(string)" <CLAIM_ID> --rpc-url $RPC_URL

Step 3: Resolve the URI

Convert non-HTTP URIs to fetchable URLs:

uri = "<URI_FROM_TOKEN>"
if uri.startswith("ipfs://"):
    url = uri.replace("ipfs://", "https://ipfs.io/ipfs/")
elif uri.startswith("ar://"):
    url = uri.replace("ar://", "https://arweave.net/")
else:
    url = uri  # already HTTP

If the URL returns JSON metadata (standard ERC721 format), check for an image or animation_url field and resolve those too:

import requests

response = requests.get(url)
try:
    meta = response.json()
    # Prefer animation_url (video/interactive) over image if both present
    content_url = meta.get("animation_url") or meta.get("image") or url
    if content_url.startswith("ipfs://"):
        content_url = content_url.replace("ipfs://", "https://ipfs.io/ipfs/")
except Exception:
    content_url = url  # URI points directly to the content

Step 4: Evaluate the Content

Fetch and review the content at content_url. Use the appropriate method based on what you find:

Image — use native vision to view it directly
Webpage / tweet / article — use the web fetch tool to read the content
Video — note the URL and evaluate based on the thumbnail or any available metadata
Document / PDF — fetch and read the text content

Evaluate each claim against the bounty name and description on:

Relevance — does the submission match what was actually asked for?
Quality — is it complete, clear, and unambiguous?
Authenticity — does it appear genuine and original (not recycled or faked)?

Pick the claim with the highest overall score. Present your reasoning to the user before executing any transaction.

Part 3: Accepting a Winning Claim — Solo Bounty

For solo bounties (and open bounties where no external contributors ever joined), the issuer accepts directly. This immediately finalizes the bounty, credits the claimant payout to pendingWithdrawals, takes the 2.5% protocol fee, and transfers the claim NFT to the issuer.

cast send $POIDH_CONTRACT_ADDRESS \
  "acceptClaim(uint256,uint256)" \
  <BOUNTY_ID> <CLAIM_ID> \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

Part 4: Accepting a Winning Claim — Open Bounty (Vote Flow)

For open bounties where external contributors have joined, direct accept is blocked. Use the two-step vote flow.

Check if External Contributors Exist

cast call $POIDH_CONTRACT_ADDRESS \
  "everHadExternalContributor(uint256)(bool)" \
  <BOUNTY_ID> \
  --rpc-url $RPC_URL

If false, fall back to acceptClaim (Part 3). If true, proceed with the vote flow below.

Step 1: Submit the Chosen Claim for Vote (Issuer Only)

The issuer's full contribution weight is automatically cast as a YES vote at this point.

cast send $POIDH_CONTRACT_ADDRESS \
  "submitClaimForVote(uint256,uint256)" \
  <BOUNTY_ID> <CLAIM_ID> \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

After this call, other contributors have 2 days to vote YES/NO via the poidh.xyz UI or by calling voteClaim(bountyId, bool) directly.

Step 2: Check Vote Status

cast call $POIDH_CONTRACT_ADDRESS \
  "bountyVotingTracker(uint256)(uint256,uint256,uint256)" \
  <BOUNTY_ID> \
  --rpc-url $RPC_URL
# Returns: yes_weight, no_weight, deadline_timestamp

python3 -c "import time; deadline=<DEADLINE>; print('Voting ended' if time.time() > deadline else f'Voting ends in {int((deadline - time.time())/3600)}h')"

Step 3: Resolve the Vote (Permissionless)

After the 2-day window closes, anyone can resolve. If YES weight > 50% of total weight, the claim is accepted and funds are distributed.

cast send $POIDH_CONTRACT_ADDRESS \
  "resolveVote(uint256)" \
  <BOUNTY_ID> \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

Part 5: Submitting a Claim on Someone Else's Bounty

Any EOA (except the bounty issuer) can submit a claim on an active open or solo bounty. This is how the agent acts as a claimant rather than an issuer. No native token is required to submit a claim — only gas.

The uri is the proof of completion — it can be anything: an IPFS image hash, a direct image URL, a tweet, a GitHub link, a webpage, a video, etc. It gets minted into a claim NFT at submission time.

Check That the Bounty is Active

Before submitting, verify the bounty exists, is not finalized, and has no ongoing vote:

cast call $POIDH_CONTRACT_ADDRESS \
  "bounties(uint256)(uint256,address,string,string,uint256,address,uint256,uint256)" \
  <BOUNTY_ID> \
  --rpc-url $RPC_URL
# Returns: id, issuer, name, description, amount, claimer, createdAt, claimId
# claimer == 0x0 means active; claimer == issuer means cancelled; claimer == other means already won

Also confirm no vote is currently in progress:

cast call $POIDH_CONTRACT_ADDRESS \
  "bountyCurrentVotingClaim(uint256)(uint256)" \
  <BOUNTY_ID> \
  --rpc-url $RPC_URL
# Returns 0 if no active vote — safe to submit

Submit the Claim

cast send $POIDH_CONTRACT_ADDRESS \
  "createClaim(uint256,string,string,string)" \
  <BOUNTY_ID> \
  "<CLAIM_NAME>" \
  "<CLAIM_DESCRIPTION>" \
  "<PROOF_URI>" \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

CLAIM_NAME — short title for the submission
CLAIM_DESCRIPTION — explanation of how the bounty was completed
PROOF_URI — the actual proof (image URL, IPFS URI, tweet URL, GitHub link, etc.)

Example:

cast send $POIDH_CONTRACT_ADDRESS \
  "createClaim(uint256,string,string,string)" \
  42 \
  "Brooklyn Bridge golden hour" \
  "Took this photo at 7:43pm on the Manhattan side. Full span visible with reflection in the water." \
  "ipfs://QmXyz..." \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

Get the Claim ID After Submitting

cast receipt <TX_HASH> --rpc-url $RPC_URL --json | \
  python3 -c "
import sys, json
receipt = json.load(sys.stdin)
for log in receipt['logs']:
    if log['address'].lower() == '$POIDH_CONTRACT_ADDRESS'.lower() and len(log['topics']) >= 2:
        claim_id = int(log['topics'][1], 16)
        print(f'Claim ID: {claim_id}')
        break
"

Important Constraints

The agent's wallet (PRIVATE_KEY) cannot be the bounty issuer — IssuerCannotClaim will revert
Submitting is blocked while a vote is active on that bounty — VotingOngoing will revert
The bounty must still be open — finalized or cancelled bounties will revert
There is no limit to the number of claims per bounty; the issuer picks the best one

Part 6: Withdrawing Funds

After winning a bounty as claimant, funds are credited to pendingWithdrawals and must be explicitly collected. The bounty payout minus the 2.5% protocol fee is available immediately after acceptClaim or resolveVote finalizes.

Check Pending Balance

cast call $POIDH_CONTRACT_ADDRESS \
  "pendingWithdrawals(address)(uint256)" \
  <YOUR_ADDRESS> \
  --rpc-url $RPC_URL

Withdraw to Your Own Address

cast send $POIDH_CONTRACT_ADDRESS \
  "withdraw()" \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

Withdraw to a Different Address

cast send $POIDH_CONTRACT_ADDRESS \
  "withdrawTo(address)" \
  <RECIPIENT_ADDRESS> \
  --private-key $PRIVATE_KEY \
  --rpc-url $RPC_URL

withdraw() sends the entire pending balance in one call. Check balance first to confirm funds are available before sending the transaction.

Agent Decision Flow

Posting a Bounty

Ask for: name, description, amount (ETH on Arbitrum/Base, DEGEN on Degen Chain), type (solo or open — default solo)
Confirm with user before sending — this spends real ETH (or DEGEN on Degen Chain)
Run createSoloBounty or createOpenBounty
Return tx hash and $POIDH_BASE_URL/bounty/<bountyId + $POIDH_V2_OFFSET>

Submitting a Claim

Ask for: bounty ID, proof URI (image, link, IPFS hash, etc.), claim name, claim description
Verify the bounty is active and has no ongoing vote
Confirm the agent's wallet is not the bounty issuer
Confirm with user before sending
Call createClaim(bountyId, name, description, uri)
Return the claim ID and tx hash

Evaluating and Accepting

Ask for the bounty ID
Check everHadExternalContributor to determine the correct acceptance path
Fetch all active (non-accepted) claims via getClaimsByBountyId
For each claim: get tokenURI, resolve URI, evaluate content using the appropriate tool (vision for images, web fetch for links, etc.)
Present recommended winner + reasoning to user, confirm before transacting
Solo / no external contributors: acceptClaim(bountyId, claimId)
Open with external contributors: submitClaimForVote(bountyId, claimId), inform user contributors have 2 days to vote, then resolveVote after deadline

Native Token Amount Reference

Human amount	Cast value
0.001 ETH	`0.001ether`
0.01 ETH	`0.01ether`
1 ETH	`1ether`
1000 DEGEN	`1000ether`
10 DEGEN	`10ether`

cast uses ether as a unit label for any 18-decimal token. On Degen Chain, this means DEGEN, not ETH.

Fee Note

PoidhV3 takes a 2.5% fee on accepted claim payouts, deducted only at acceptance. The full msg.value is held in escrow until then. The fee is paid in the chain's native token — ETH on Arbitrum and Base, DEGEN on Degen Chain.

Error Reference

Error	Cause	Fix
`ContractsCannotCreateBounties()`	Wallet is a smart contract	Use an EOA private key
`MinimumBountyNotMet()`	Amount below `MIN_BOUNTY_AMOUNT`	Increase `--value` (0.001 ETH on Arbitrum/Base, 1000 DEGEN on Degen)
`MinimumContributionNotMet()`	Contribution below `MIN_CONTRIBUTION`	Increase `--value` when joining open bounty
`NoEther()`	`--value` was 0 or omitted	Add `--value`
`WrongCaller()`	Not the bounty issuer	Use the issuer's private key
`VotingOngoing()`	Active vote in progress	Wait for deadline, then `resolveVote`
`VotingEnded()`	Deadline passed without resolution	Call `resolveVote`
`NotSoloBounty()`	Open bounty with contributors tried direct accept	Use `submitClaimForVote` instead
`ClaimAlreadyAccepted()`	Claim was already accepted	Nothing to do
`BountyClaimed()`	Bounty already finalized	Nothing to do
`BountyClosed()`	Bounty was cancelled	Nothing to do
`BountyNotFound()`	Invalid bounty ID	Check bounty ID
`ClaimNotFound()`	Invalid claim ID	Check claim ID
`IssuerCannotClaim()`	Issuer tried to submit a claim on their own bounty	Different wallet must claim
`NotActiveParticipant()`	Caller is not a participant or has withdrawn	Must be an active contributor
`MaxParticipantsReached()`	Open bounty has 150 contributors	Wait for a slot to free up
`NothingToWithdraw()`	No pending balance	Check `pendingWithdrawals(address)` first
`VoteWouldPass()`	Tried to reset a vote that would pass	Cannot override a winning vote

Comments

Loading comments...