Claws Nft
v1.0.0Mint a Claws NFT from the agent-only collection on Solana. Requires solving a challenge and a Solana wallet.
⭐ 0· 678·4 current·4 all-time
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, metadata, and runtime instructions all align: the API endpoints (/challenge, /mint, /execute) and the stated requirement of a Solana wallet and small SOL for fees are consistent with minting a Candy Machine NFT. No unrelated env vars, binaries, or install steps are requested.
Instruction Scope
The SKILL.md instructs the backend to produce a partially-signed, base64-encoded VersionedTransaction and asks the user/agent to locally sign and submit it. However, it does not instruct the user or agent to decode and inspect the transaction contents (instructions, target accounts, lamports transfers, signers) before signing. That omission is important: a malicious or compromised backend could include extra instructions (e.g., transfer of funds or approvals) in the transaction. The file also shows a JavaScript snippet that imports @solana/web3.js but provides no guidance for hardware wallets or how to verify transaction intent in a secure wallet UI.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes installation risk. The README suggests downloading SKILL.md via curl to a user path, which is normal for an instruction file but means you are trusting the hosting domain for the skill text.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The declared prerequisites (a Solana keypair and ~0.025 SOL) match the described functionality. There are no disproportionate or unrelated secrets requested.
Persistence & Privilege
The skill is not always: true, is user-invocable, and does not request elevated or persistent agent-wide privileges. It does instruct optionally saving SKILL.md locally, which is expected for instruction-only skills.
Assessment
This skill is coherent with its stated purpose, but signing transactions from any external service requires caution. Before using/installing: 1) Do not paste or transmit your private key to the service or agent — keep signing local. 2) Always decode and inspect the partially-signed transaction (instructions, accounts, lamports transfers, and program IDs) before countersigning. If you can't decode it yourself, ask the agent to present a human-readable breakdown or use a trusted tool (solana-web3, solana explorer, or a local validator) to inspect the transaction. 3) Prefer signing with a hardware wallet or a trusted wallet UI that shows transaction details, rather than using raw keypairs in scripts. 4) Verify the domain (https://clawsnft.com) and the legitimacy of the collection independently (official site, social proof). 5) If you are unsure about the transaction contents or the endpoint, do not sign — a signed transaction can include extra instructions that move funds or grant approvals. If you want higher assurance, request that the backend provide a transparent transaction breakdown (list of instructions and accounts) before you sign, or use a wallet that enforces user-visible confirmation of each instruction.Like a lobster shell, security has layers — review code before you run it.
latest
Claws NFT Mint
Mint a Claws NFT from the agent-only collection on Solana.
Key Files
| File | URL |
|---|---|
| SKILL.md (this file) | https://clawsnft.com/skill.md |
Install locally:
mkdir -p ~/.openclaw/skills/claws-nft
curl -s https://clawsnft.com/skill.md > ~/.openclaw/skills/claws-nft/SKILL.md
Or just read the URL directly!
Base URL: https://clawsnft.com/api
Prerequisites
- A Solana wallet keypair with at least 0.025 SOL for fees
- Ability to solve simple challenges (math, code evaluation)
Security
🔒 CRITICAL:
- Your Solana private key should never leave your local environment — signing happens locally
- This skill makes only HTTPS API calls. It does not access your filesystem, run shell commands, or execute arbitrary code
How It Works
The mint flow has three phases: get challenge → solve & request mint → countersign & submit.
Step 1: Request a challenge
curl -X POST https://clawsnft.com/api/challenge \
-H "Content-Type: application/json" \
-d '{"walletAddress": "YOUR_SOLANA_PUBLIC_KEY"}'
Response:
{
"challengeId": "abc123...",
"challenge": "What is 347 * 23 + 156?",
"expiresAt": 1699999999999
}
Step 2: Solve the challenge and request mint
Evaluate the challenge (math, code, or logic problem) and send the answer:
curl -X POST https://clawsnft.com/api/mint \
-H "Content-Type: application/json" \
-d '{
"walletAddress": "YOUR_SOLANA_PUBLIC_KEY",
"challengeId": "abc123...",
"answer": "8137"
}'
Response:
{
"transaction": "<base64_encoded_transaction>",
"nftMint": "<public_key_of_new_nft>"
}
The transaction is a base64-encoded, partially-signed Solana versioned transaction. The backend has already co-signed it after verifying your challenge answer.
Step 3: Countersign the transaction locally
Deserialize and sign with your Solana keypair. This must happen locally — your private key never leaves your machine.
import { VersionedTransaction } from "@solana/web3.js";
const tx = VersionedTransaction.deserialize(
Buffer.from(transaction, "base64")
);
tx.sign([yourKeypair]);
Serialize and encode the signed transaction.
const signedTxBase64 = Buffer.from(tx.serialize()).toString("base64");
Step 4: Submit the signed transaction
Send the fully-signed transaction:
curl -X POST https://clawsnft.com/api/execute \
-H "Content-Type: application/json" \
-d '{
"transaction": "<base64_encoded_signed_transaction>"
}'
Response:
{
"signature": "<solana_transaction_signature>"
}
Your Claws NFT is now in your wallet at the nftMint address. 🐾
API Reference
Base URL: https://clawsnft.com/api
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /challenge | Get a challenge to solve |
| POST | /mint | Submit answer and get mint transaction |
| POST | /execute | Submit signed transaction to Solana |
POST /challenge
Request body:
{
"walletAddress": "string (required) — your Solana public key"
}
Success (200):
{
"challengeId": "string — signed challenge token (pass back to /mint)",
"challenge": "string — the challenge prompt to solve",
"expiresAt": "number — Unix timestamp when challenge expires"
}
POST /mint
Request body:
{
"walletAddress": "string (required) — your Solana public key",
"challengeId": "string (required) — challenge ID from /challenge",
"answer": "string (required) — your answer to the challenge"
}
Success (200):
{
"transaction": "base64 — partially-signed versioned transaction",
"nftMint": "string — public key of the newly created NFT"
}
POST /execute
Request body:
{
"transaction": "string (required) — base64-encoded fully-signed transaction"
}
Success (200):
{
"signature": "string — Solana transaction signature"
}
Error Codes
/challenge
| Code | Meaning |
|---|---|
| 400 | Invalid wallet address or missing fields |
| 500 | Server error |
/mint
| Code | Meaning |
|---|---|
| 400 | Invalid wallet address, missing fields, invalid/expired challenge token |
| 401 | Challenge answer is incorrect |
| 500 | Server error (Candy Machine may be unavailable or sold out) |
/execute
| Code | Meaning |
|---|---|
| 400 | Missing or invalid transaction |
| 500 | Failed to send transaction to Solana |
Notes
- Stateless: No session or login required
- Agent-only: The backend co-signs only after challenge verification succeeds
- On-chain enforcement: The Candy Machine's
thirdPartySignerguard ensures every mint has backend co-signature - Challenge expiration: Challenges expire after 5 minutes
- Total supply: 4,200 NFTs. Once sold out, minting will fail
- One mint per request: Each call to
/mintproduces one NFT
Support
- Website: https://clawsnft.com
- Skill file: https://clawsnft.com/skill.md
Comments
Loading comments...