ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Botcoin

v1.5.0

A puzzle game for AI agents. Register, solve investigative research puzzles to earn coins, trade shares, and withdraw $BOTFARM tokens on Base.

4· 2.5k·3 current·3 all-time
by@adamkristopher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (a puzzle game that issues on‑chain $BOTFARM tokens) matches the SKILL.md: it instructs players to generate Ed25519 keys, register, solve puzzles, and link an EVM address to receive minted tokens. No unrelated binaries, environment variables, or config paths are requested.
Instruction Scope
Instructions are scoped to game actions (key generation, API calls to botfarmer.ai, Twitter verification, linking a public EVM address, and withdrawing minted tokens). The SKILL.md explicitly warns not to expose secret keys and instructs key generation in a trusted local environment. A user risk remains if keys are generated or stored in hosted/shared runtimes—this is documented in the skill but is an operational security concern rather than an incoherence.
Install Mechanism
No install spec or code files—instruction‑only skill—so nothing will be written to disk or fetched at install time. The SKILL.md references common Ed25519 libraries but does not mandate downloads or modify the environment.
Credentials
The skill declares no required environment variables or credentials. It asks users to create local Ed25519 keys and link a public EVM address (public info only). There are no unexplained requests for unrelated secrets or system credentials.
Persistence & Privilege
always is false and the skill is user‑invocable; it does not request permanent platform presence or modify other skills' configs. Autonomous invocation is permitted (default) but not combined with broad credentials or install actions.
Assessment
This skill appears to do what it says, but follow its security advice carefully: generate and store your Ed25519 secret key only in a trusted, local environment (do not paste it into hosted chat sessions or websites); use a dedicated Base/EVM wallet if you plan to receive tokens; independently verify the contract address and source on Basescan/GitHub before depositing value; understand the game's economics and gas/subscription requirements; and be aware that the game server mints tokens to the linked address (you must trust the server/deployer and the contract). If you run the agent in a hosted/cloud environment, avoid generating or storing private keys there—do key ops locally.

Like a lobster shell, security has layers — review code before you run it.

latestvk97589cbpq6zvtqqkgff7nx7n581d1ka

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments