ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NFT Skill - Autonomous AI Artist Agent

v1.0.0

Autonomous AI Artist Agent for generating, evolving, minting, listing, and promoting NFT art on the Base blockchain. Use when the user wants to create AI art, mint ERC-721 NFTs, list on marketplace, monitor on-chain sales, trigger artistic evolution, or announce drops on X/Twitter.

0· 1.3k·0 current·0 all-time
by@numba1ne
Security Scan
Capability signals
CryptoRequires walletCan sign transactionsPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, CLI, and SKILL.md implement generation, IPFS upload, ERC‑721 minting, marketplace listing, on‑chain monitoring, and social posting — all coherent with the described NFT artist purpose. However the registry metadata (as provided to the platform) contradicts the SKILL.md: registry claims no required env vars and no primary credential, but the SKILL.md and source code clearly require many secrets (BASE_PRIVATE_KEY, PINATA keys, LLM and image provider keys, X/Twitter keys, etc.). The skill also contains deployment scripts and contracts (Hardhat) so blockchain credentials are legitimately needed; the metadata omission is an inconsistency that should be corrected/verified.
Instruction Scope
SKILL.md instructs the agent to run npm install/build, read/write a .env file, deploy contracts, access LLM/image/IPFS/Twitter APIs, and stream on‑chain events — all expected for this functionality. The agent is also encouraged to autonomously run the generate→mint→list→tweet→monitor→evolve cycle (README/SKILL.md), which means it can perform actions that spend real funds and post to social media. The instructions do not attempt to read unrelated system files, but they do instruct writing to .env and persisting evolution state to disk (evolution.json).
Install Mechanism
Install uses a shell step that runs 'npm install' and 'npm run build' (standard for Node projects). Dependencies come from npm (package.json and package-lock.json present) — moderate risk but expected. Oddity: the install spec claims 'creates binaries: node' which is incorrect (node is a required runtime, not installed by the skill) — likely a metadata/authoring mistake. There are no downloads from unknown URLs or archive extractions; code is included in the bundle.
!
Credentials
The SKILL.md requires many sensitive environment variables (BASE_PRIVATE_KEY or PRIVATE_KEY_FILE, PINATA_API_KEY/SECRET, LLM and image provider keys, X/Twitter keys). These are proportionate to the stated capabilities, but the platform registry metadata omits them (claims none) and does not declare a primary credential — that mismatch is concerning because users may install without being warned to provide a signing key. Because the skill can sign transactions with BASE_PRIVATE_KEY, this gives it the ability to move funds / mint costly transactions; treat the private key as high risk and prefer PRIVATE_KEY_FILE with a restricted-wallet/faucet account for testing.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills. It persists evolution state and writes contract addresses to .env during deploy — expected behavior. The real risk is operational: if allowed to run autonomously, the agent can perform on‑chain transactions and post to social media using provided credentials; combine that with large or primary wallets and the blast radius is high. This is expected for a blockchain-integrated autonomous skill but requires user caution.
What to consider before installing
What to check before installing/use: - Metadata mismatch: the registry entry claims no env vars / no primary credential, but SKILL.md and the source require many secrets (BASE_PRIVATE_KEY, Pinata keys, LLM/image provider keys, X/Twitter keys). Do not trust the registry summary — review SKILL.md and README instead. - Private key risk: the skill can sign on‑chain transactions. Use a dedicated wallet with minimal funds (testnet or a small mainnet wallet) and prefer PRIVATE_KEY_FILE pointing to a file with restricted permissions rather than pasting a main private key into .env. - Autonomous actions: the skill is designed to autonomously mint/list and post to X. If you plan to let an agent invoke this skill autonomously, restrict credentials and monitor activity closely (or disable autonomous invocation until you audit the code). - Installation: the install runs npm install/build from the skill directory and will install third‑party npm packages — review package.json and package-lock.json for any unexpected dependencies. The install metadata contains a minor error claiming it 'creates binaries: node' — node should already be present on the host. - Verify source: the SKILL.md references a GitHub homepage (https://github.com/Numba1ne/nft-skill) but the registry/source fields you were given say 'unknown' / 'none'. Try to find the canonical repository and inspect commit history or a verified release. If you cannot find a trustworthy upstream, treat the package as higher risk. - Test on testnet first: deploy and run the skill on Base Sepolia (or a local chain) and use throwaway API keys to confirm behavior before supplying production keys. - Principle of least privilege: only provide the environment variables actually needed for the operations you want (e.g., omit X_* keys if you won't use tweet feature), and rotate any keys provided to the skill after testing. If you want, I can: - Highlight exact lines in the source that read/write the private key, PINATA, or social APIs. - Produce a minimal .env example and a recommended low-permission test wallet configuration. - Check package.json/package-lock.json for any uncommon/native modules to audit further.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎨 Clawdis
Binsnode, npm
ai-artvk974zcpsxskfgmfrdqw563jrq180v2j3basevk974zcpsxskfgmfrdqw563jrq180v2j3blockchainvk974zcpsxskfgmfrdqw563jrq180v2j3erc721vk974zcpsxskfgmfrdqw563jrq180v2j3ipfsvk974zcpsxskfgmfrdqw563jrq180v2j3latestvk974zcpsxskfgmfrdqw563jrq180v2j3marketplacevk974zcpsxskfgmfrdqw563jrq180v2j3nftvk974zcpsxskfgmfrdqw563jrq180v2j3web3vk974zcpsxskfgmfrdqw563jrq180v2j3
1.3kdownloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@numba1ne
ai-artbaseblockchainerc721ipfslatestmarketplacenftweb3
Download

NFT Skill for OpenClaw

Allows an OpenClaw agent to autonomously generate art, mint NFTs, list on marketplace, monitor sales, evolve based on milestones, and post social updates.

When to Use This Skill

  • User asks to generate AI art or procedural digital art
  • User wants to mint an NFT on Base
  • User wants to list an NFT for sale on the marketplace
  • User wants to monitor on-chain NFT sales
  • User wants to evolve art style after a sales milestone
  • User wants to tweet or announce a new NFT drop on X (Twitter)
  • User mentions "NFT", "mint", "Base blockchain", "AI art", "digital art", or "marketplace listing"

Setup (First Run)

Before first use, ensure the project is built:

cd {baseDir} && npm install && npm run build

The user must populate a .env file with their keys:

cp {baseDir}/.env.example {baseDir}/.env

Required variables: BASE_RPC_URL, BASE_PRIVATE_KEY, NFT_CONTRACT_ADDRESS, MARKETPLACE_ADDRESS, PINATA_API_KEY, PINATA_SECRET, LLM_PROVIDER.

To deploy contracts (one-time setup):

cd {baseDir} && npm run deploy:testnet   # Base Sepolia testnet
cd {baseDir} && npm run deploy:mainnet   # Base mainnet

Contract addresses are automatically written to .env after deployment.

Tools

All tools output JSON. The agent should look for the final line matching {"status":"success",...} or {"status":"error",...}.

1. generate — Generate Art

Generate new art and upload to IPFS.

cd {baseDir} && npm run cli -- generate --generation <number> --theme "<description>"

Parameters:

FlagTypeRequiredDescription
-g, --generationnumberyesGeneration number (determines evolution state)
-t, --themestringyesArt theme description sent to LLM

Output:

{"status": "success", "result": {"imagePath": "...", "metadata": {...}, "metadataUri": "Qm..."}}

Example:

cd {baseDir} && npm run cli -- generate --generation 1 --theme "neon cyberpunk city"

2. mint — Mint NFT

Mint a new ERC721 token on Base with an IPFS metadata URI.

cd {baseDir} && npm run cli -- mint --metadata-uri <uri>

Parameters:

FlagTypeRequiredDescription
-m, --metadata-uristringyesIPFS metadata URI (e.g. Qm... or ipfs://Qm...)

Output:

{"status": "success", "result": {"tokenId": "1", "txHash": "0x...", "blockNumber": 12345, "gasUsed": "80000"}}

Example:

cd {baseDir} && npm run cli -- mint --metadata-uri QmXyz123abc

3. list — List NFT on Marketplace

List a minted NFT for sale on the marketplace.

cd {baseDir} && npm run cli -- list --token-id <id> --price <eth>

Parameters:

FlagTypeRequiredDescription
-i, --token-idstringyesToken ID to list
-p, --pricestringyesListing price in ETH (e.g. "0.05")

Output:

{"status": "success", "result": {"success": true, "price": "0.05", "txHash": "0x..."}}

Example:

cd {baseDir} && npm run cli -- list --token-id 1 --price 0.05

4. monitor — Monitor Sales

Watch for sales events in real-time. Streams JSON to stdout until interrupted (Ctrl+C).

cd {baseDir} && npm run cli -- monitor [--from-block <number>]

Parameters:

FlagTypeRequiredDescription
-f, --from-blocknumbernoReplay missed sales from this block before live monitoring

Output (per sale):

{"status": "sale", "result": {"buyer": "0x...", "tokenId": "1", "price": "0.05", "txHash": "0x...", "blockNumber": 12345}}

Example:

cd {baseDir} && npm run cli -- monitor --from-block 12000000

5. evolve — Evolve Agent

Trigger the evolution logic when sales milestones are met.

cd {baseDir} && npm run cli -- evolve --proceeds <eth> --generation <number> --trigger "<reason>"

Parameters:

FlagTypeRequiredDescription
-p, --proceedsstringyesTotal ETH proceeds earned so far
-g, --generationnumberyesCurrent generation number
--triggerstringyesHuman-readable reason for evolution

Output:

{"status": "success", "result": {"previousGeneration": 1, "newGeneration": 2, "improvements": [...], "newAbilities": [...]}}

Example:

cd {baseDir} && npm run cli -- evolve --proceeds "0.5" --generation 1 --trigger "Sold 3 NFTs"

6. tweet — Post to X

Post an update to X (Twitter).

cd {baseDir} && npm run cli -- tweet --content "<text>"

Parameters:

FlagTypeRequiredDescription
-c, --contentstringyesTweet text (auto-truncated to 280 chars)

Output:

{"status": "success", "result": "tweet_id_string"}

Example:

cd {baseDir} && npm run cli -- tweet --content "New AI art drop incoming! #AIArt #Base"

Typical Workflow

A full autonomous cycle the agent should follow:

  1. Generate art with a theme → receive metadata URI
  2. Mint the NFT with that URI → receive token ID
  3. List the NFT on the marketplace at a price
  4. Tweet about the new listing
  5. Monitor sales for purchase events
  6. Evolve when a sales milestone is reached
  7. Repeat from step 1 with the new generation number

Error Handling

  • If a command returns {"status":"error",...}, read the message field and report it to the user.
  • Common issues: missing .env variables, insufficient wallet balance, network RPC errors.
  • For wallet balance issues, suggest the user funds their Base wallet.
  • For missing env vars, remind the user to populate {baseDir}/.env.

Environment Variables

VariableRequiredDescription
BASE_RPC_URLyesBase network RPC endpoint
BASE_PRIVATE_KEYyes*Wallet private key (or use PRIVATE_KEY_FILE)
PRIVATE_KEY_FILEnoPath to file containing the private key (safer alternative to env var)
NFT_CONTRACT_ADDRESSyesDeployed NFTArt contract address
MARKETPLACE_ADDRESSyesDeployed NFTMarketplace contract address
PINATA_API_KEYyesPinata IPFS API key
PINATA_SECRETyesPinata IPFS secret
LLM_PROVIDERyesopenrouter, groq, or ollama
LLM_MODELnoModel ID override
OPENROUTER_API_KEYif LLM_PROVIDER=openrouterOpenRouter API key
GROQ_API_KEYif LLM_PROVIDER=groqGroq API key
OLLAMA_BASE_URLif LLM_PROVIDER=ollamaOllama base URL
IMAGE_PROVIDERnostability, dalle, or procedural (default)
IMAGE_MODELnoImage model override
STABILITY_API_KEYif IMAGE_PROVIDER=stabilityStability AI key
OPENAI_API_KEYif IMAGE_PROVIDER=dalleOpenAI key for DALL-E
X_CONSUMER_KEYfor tweetX API consumer key
X_CONSUMER_SECRETfor tweetX API consumer secret
X_ACCESS_TOKENfor tweetX access token
X_ACCESS_SECRETfor tweetX access token secret
BASESCAN_API_KEYnoFor contract verification on Basescan

Comments

Loading comments...