ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aavegotchi Renderer Bypass

v0.1.0

Render Aavegotchi assets by deriving renderer hashes from Goldsky Base core data and calling POST /api/renderer/batch on www.aavegotchi.com. Use when the use...

0· 485·3 current·3 all-time
by@cinnabarhorse
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim (derive renderer hashes from Goldsky Base data and POST to /api/renderer/batch on www.aavegotchi.com) matches the included SKILL.md and the bundled script. The script queries the declared Goldsky endpoint, constructs a hash from returned gotchi fields, posts to the renderer batch API, and downloads artifacts — all expected for this purpose. No unrelated APIs, binaries, or credentials are requested.
Instruction Scope
SKILL.md explicitly instructs to query the Goldsky subgraph, derive the renderer hash, call the renderer batch endpoint, and save JSON/PNG/GLB artifacts to disk. The script implements exactly those steps and does not attempt to read other system files, environment variables, or send data to unexpected third-party endpoints. It does write files to disk (default /tmp) and performs network requests to the two service endpoints described.
Install Mechanism
There is no install specification — this is an instruction-only skill with a single included Node script. No downloads from arbitrary URLs, package installs, or extracted archives occur during install.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the script does not read any secrets or environment variables. All network calls go to the Goldsky subgraph endpoint and www.aavegotchi.com as described.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system-wide agent settings. It runs on demand and writes output only to a user-specified out-dir (default /tmp).
Assessment
This skill appears internally coherent and implements what it says: it fetches a gotchi record from the Goldsky subgraph, derives a renderer hash, calls Aavegotchi's /api/renderer/batch, and saves returned artifacts to disk. Before installing or running, consider: 1) it will make network requests to the two endpoints embedded in the code and write files to your filesystem (default /tmp) — run in a sandbox or container if you want to limit exposure; 2) no credentials are requested, but ensure the endpoints are legitimate and you are comfortable contacting them from your environment; 3) review the script if you will run it in a long-lived or privileged environment — there's a minor implementation bug risk (address normalization in COLLATERAL_MAP may not match and could yield incorrect collateral detection), so validate outputs with a known tokenId first; and 4) expect normal operational risks (rate limits, 404/400 responses) when calling public APIs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fzbxty8x15hrrh55d0cts2d81r6tb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments