ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mintyouragent

v3.6.3

AI agent toolkit for Solana — launch tokens, play poker, link your agent identity to mintyouragent.com. Reads agent personality files (SOUL.md) for profile l...

2· 2.4k·2 current·3 all-time
by@operatingdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (token launches, poker, agent linking) align with included code and constants: on-chain program IDs, RPC endpoints, and a default API URL for mintyouragent.com are present and expected for this functionality. The dependencies (solders, requests) are appropriate for a pure-Python Solana CLI. Minor note: the skill advertises 'local signing' but also includes explicit commands for linking to an external service and a DEFAULT_API_URL, which is consistent with a platform-backed product but worth verifying.
!
Instruction Scope
SKILL.md and the code expose a 'soul' extraction and 'link' flow that reads agent personality files (SOUL.md) and links the agent to mintyouragent.com. The README/SKILL.md do not enumerate exactly what profile data is sent during linking (SOUL.md contents, public addresses, metadata, command history?), nor do they show the exact API calls. The code sets DEFAULT_API_URL and imports requests, so network transmission of profile/metadata is likely. This is within the product scope but is privacy-sensitive and insufficiently documented — verify what fields are POSTed and whether anything sensitive (wallet recovery keys, full command history, or unredacted personality files) can be transmitted.
Install Mechanism
There is no packaged install spec in the registry; installation is manual (pip install solders requests) and the skill is shipped as a Python file. This is low-to-moderate risk and expected for a CLI. No remote arbitrary binary downloads or obscure URLs were present in the provided manifest.
Credentials
The skill requests no environment variables or external credentials in the manifest, and stores a wallet under ~/.mintyouragent/ (documented). That storage location is proportional, but the project documents backups (RECOVERY_KEY.txt, backups/) and an audit log — these are sensitive files. The skill claims private keys never leave the machine, but the link/soul feature could still transmit profile data tied to your identity; the manifest doesn't require or declare any API keys, which is consistent but also means network calls will rely on the default API endpoint. Confirm the code does not attempt to upload private key material or recovery keys when performing backup/link actions.
Persistence & Privilege
always:false and no system config paths or other skills' configs are requested. The skill stores data in its own home-prefixed directory (~/.mintyouragent/) which is normal for a wallet/CLI. It does not request elevated or persistent platform-wide privileges in the manifest and does not claim to auto-enable itself across the platform.
What to consider before installing
This skill mostly does what it says (token launches, poker, linking), but the 'soul' extraction and 'link' commands will contact mintyouragent.com; the SKILL.md and README don't state exactly what is sent. Before installing or importing any wallet keys: 1) review the mya.py source around the 'soul' and 'link' commands to see which files/fields are POSTed and whether any secret material could be sent; 2) test in a safe environment (use devnet and a throwaway wallet) to observe network traffic or replay requests; 3) avoid importing real recovery keys or private keys until you're confident the code never transmits them (prefer offline signing or export-only flows); 4) if you plan to use 'link', inspect the remote API (mintyouragent.com) and its privacy policy or run the linking step in a controlled sandbox; 5) prefer running with --dry-run or on devnet and review backups stored under ~/.mintyouragent/ to ensure RECOVERY_KEY.txt isn't created in plaintext. If you cannot audit the 'link' implementation, treat the linking/profile features as potentially transmitting sensitive personality/metadata and proceed with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d1attd2h14ty913nqr39qm981skhcsolanavk97d48ejn7fd16xcbve6y4hmnx80thg6tokenvk97d48ejn7fd16xcbve6y4hmnx80thg6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments