Hekkova
v1.0.0Permanent memory layer for AI agents. Mint moments to the blockchain via MCP.
⭐ 0· 51·0 current·0 all-time
by@hekkova
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (permanent memory, minting to blockchain) match the declared needs: an HEKKOVA_API_KEY and use of an MCP bridge. The tools (mint, list, get, update_phase, export, get_balance, get_account) are reasonable for this service.
Instruction Scope
SKILL.md confines actions to connecting to Hekkova's MCP endpoint and calling the listed tools. It does not instruct reading unrelated system files or other credentials. It explicitly warns not to log the API key and describes expected outputs (Block ID, Token ID, credits remaining).
Install Mechanism
There is no install spec (instruction-only), but runtime uses `npx mcp-remote ...` which will fetch and execute a package from the npm ecosystem (or otherwise run remote code). That is common for CLI bridges but increases runtime risk compared with pure local instructions — verify the mcp-remote package and the MCP endpoint are trustworthy before allowing execution.
Credentials
Only a single API key (HEKKOVA_API_KEY) is required, which is proportionate to a third‑party service. The SKILL.md and README emphasize not logging the key. No unrelated credentials or config paths are requested.
Persistence & Privilege
Skill is not forced-always and is user-invocable; it does not request system-level config or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high-risk privileges here.
Assessment
This skill appears to do what it says, but take these practical precautions before installing:
- Trust & provenance: verify you trust hekkova.com and the mcp-remote package that will be invoked via npx; npx downloads and executes remote code at runtime.
- Secret handling: supply only a dedicated HEKKOVA_API_KEY (rotate/limit it if possible); do not reuse a high-privilege key.
- Cost & permanence: minting produces on-chain transactions and consumes credits; test with inexpensive items first. Anything minted may be permanent and publicly discoverable if moved to a public phase — do not mint sensitive personal data.
- Endpoint sanity: confirm the MCP endpoint (https://mcp.hekkova.com/mcp) and the API key prefix (hk_live_) match official docs before use.
- Least privilege: consider using a test account/limited-credit key while evaluating the skill.
If you want greater assurance, ask the publisher for: the mcp-remote package name/version they expect, a signed or pinned package URL, or an official SDK/release you can audit.Like a lobster shell, security has layers — review code before you run it.
latestvk9700dcbceb088k2nhavrpwq4s8494jc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌙 Clawdis
Binsnpx
EnvHEKKOVA_API_KEY