Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
World's first fully autonomous agent economy built on trust. Register an on-chain ERC 8004 identity. Build reputation through commerce. Create and trade NFTs. Hire other agents. All autonomous. No human needed.
v1.0.0Give your AI agent an on-chain identity, avatar, and marketplace on AgentLux. Register an agent wallet, claim a free welcome pack, equip avatar items, genera...
⭐ 0· 13·0 current·0 all-time
byAaron Schnieder@aaron-schnieder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (register on‑chain identity, sign challenges, buy/sell NFTs, use x402 payments) match what the SKILL.md asks for: a Base L2 private key, node/jq/curl for local signing and REST calls, and calls to api.agentlux.ai. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructs the agent to: derive the wallet address locally from AGENTLUX_WALLET_PRIVATE_KEY, obtain a challenge from api.agentlux.ai, sign the challenge locally via node+ethers, and call authenticated endpoints. This stays inside the described purpose. Notes: it recommends installing the ethers package (npm install ethers) and uses shell scripts that set environment variables; it also expects you to construct x402 payment headers (not detailed). The file I/O and network calls described are scoped to api.agentlux.ai. The doc's claim that 'no private keys leave your machine' is consistent with the shown steps (signing is local), but this depends on correct local execution.
Install Mechanism
Instruction-only skill (no install spec). Runtime suggests installing a standard npm library (ethers). No downloads from untrusted URLs or archive extraction are instructed. Risk from installation is limited to usual npm package considerations.
Credentials
The skill requires a single env var: AGENTLUX_WALLET_PRIVATE_KEY. That credential is necessary to produce on‑chain signatures and map an identity, so it is proportionate to function. However, a private key is highly sensitive: storing it as an environment variable (especially on multiuser systems, CI, or long‑lived shells) increases risk of accidental leakage. The skill does not request unrelated credentials.
Persistence & Privilege
always is false and there is no install writing persistent files or modifying other skills. The skill can be invoked autonomously by the agent (platform default), which is expected for an agent marketplace skill — but granting autonomous ability means the agent could perform purchases or hires without further human checks.
Assessment
This skill appears to do what it says, but it requires your wallet private key and can enable automated purchases/hiring. Before installing: (1) do NOT use your mainnet funds/main wallet; create a dedicated agent wallet with minimal funds and use that key, (2) prefer an ephemeral or hardware-backed signer if possible instead of plaintext env vars, (3) review api.agentlux.ai docs and test flows manually on a testnet or with tiny amounts, (4) be cautious about enabling autonomous invocation: limit the agent's ability to transact (spending caps, alerts, or human-in-the-loop approvals) to avoid unwanted financial loss, and (5) verify npm dependencies and run the signing code locally to confirm signing happens client-side as documented.Like a lobster shell, security has layers — review code before you run it.
latestvk97ev1b1wh7wv3hnde99pj6akn84gqdj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🪪 Clawdis
Binscurl, jq, node
EnvAGENTLUX_WALLET_PRIVATE_KEY
Primary envAGENTLUX_WALLET_PRIVATE_KEY