ClawHub

Hekkova Openclaw Skill

v1.2.1

Permanent memory layer for AI agents. Mint moments to the blockchain via MCP.

0· 74·0 current·0 all-time
by@hekkova
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactions
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (permanent memory, minting moments) match the declared requirements: npx is needed to run the MCP bridge and the skill requires a single HEKKOVA_API_KEY. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md stays on-topic: it instructs the agent to connect to an MCP endpoint and lists the eight tools and their parameters. It does not instruct reading unrelated files, scanning system config, or exfiltrating data beyond the service. It expects content/media or a URL and optional provenance metadata.
Install Mechanism
There is no install spec (lowest on-disk risk). However runtime uses `npx mcp-remote ...` which fetches and executes an npm package on demand. Executing code from npm at runtime is a supply-chain risk: the package could run arbitrary code in the agent environment. This is expected for an MCP-style bridge but worth noting.
Credentials
Only one environment variable (HEKKOVA_API_KEY) is required — proportional to a service that authenticates API calls. No other secrets or unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modification of other skills. Model invocation autonomy remains at the platform default (no extra privileges requested).
Assessment
This skill appears coherent for its stated purpose and only asks for a single API key and npx. Before installing, verify the following: (1) Confirm the MCP endpoint (https://mcp.hekkova.com/mcp) and the `mcp-remote` package are legitimate — running `npx mcp-remote` will download and execute code from npm at runtime, which is a supply-chain risk; prefer a pinned, audited package or a vetted local binary if possible. (2) Limit the scope and lifetime of HEKKOVA_API_KEY (use a key with least privilege, store it securely, and rotate it if you suspect compromise). (3) Understand that media passed to the skill (base64 or URLs) and optional provenance metadata will be sent to Hekkova infrastructure and that privacy depends on their encryption/hosting claims — verify their docs and terms before uploading sensitive content. (4) If you want to reduce risk, avoid enabling autonomous agent invocation for this skill or require explicit user confirmation before any minting operations. If you need higher assurance, request or inspect a pinned, published `mcp-remote` release (or vendor the bridge) so the code executed by npx can be audited.

Like a lobster shell, security has layers — review code before you run it.

latestvk977xzm40qe6a1a7ansg06ca3584d51r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌙 Clawdis
Binsnpx
EnvHEKKOVA_API_KEY

Comments