ClawHub

Bitagent Skill

v0.1.1

Launch, buy, and sell tokens on BitAgent bonding curves via CLI. Use when the user wants to create a new agent token, or trade existing agent tokens on BitAgent (BSC Testnet/Mainnet).

1· 1.7k·0 current·0 all-time
by@parasyte-x
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The CLI and code (scripts/index.ts) implement launch/buy/sell on BitAgent and call BitAgent APIs — that's consistent with the name/description. However the registry metadata claims 'Required env vars: none' while both SKILL.md and the code require a PRIVATE_KEY. README references a GitHub repo (unibaseio/openclaw-bitagent) while the skill source is 'unknown' in the registry; these metadata inconsistencies are concerning.
!
Instruction Scope
SKILL.md instructs the agent to execute scripts/index.ts (via npx tsx) and to capture/return stdout, and to set PRIVATE_KEY in the OpenClaw config. The script loads 'dotenv/config' (will read .env if present) and performs network calls to BitAgent auth/API endpoints. The instructions do not mention or warn that .env will be read, nor do they caution about storing a private key in the agent config — both could lead to unintended exposure of other secrets or the wallet key. The agent is told to return CLI stdout to the user; while the code does not obviously print the private key, printing transaction/state data may leak context.
Install Mechanism
There is no registry install spec (instruction-only), but package.json and package-lock.json are included and SKILL.md instructs running 'npm install'. Dependencies resolve from npm (no external/obfuscated downloads). package-lock lists many transitive dependencies (including aws-sdk and pinata-web3 via @bitagent/sdk) which are plausible for the SDK but increase attack surface and should be installed only from a trusted source.
!
Credentials
The runtime requires a PRIVATE_KEY (wallet private key) — which is appropriate for on-chain operations — but this required env var is not declared in the skill registry metadata. The skill also imports dotenv so it may read a .env file in the repo directory; storing a private key in OpenClaw config or a .env file increases risk of accidental exposure. No other credentials are requested by the code, which aligns with purpose, but the mismatch between declared and actual required env vars is a red flag.
Persistence & Privilege
The skill is user-invocable, not forced-always, and does not request system-wide configuration changes. It does not declare 'always: true' and does not modify other skills' configs. Autonomous invocation is allowed by default (disable-model-invocation:false), which is expected; this combined with other concerns increases risk but is not by itself a misconfiguration.
What to consider before installing
This skill implements BitAgent CLI operations but has some red flags you should address before installing: - The code and SKILL.md require a PRIVATE_KEY, but the registry metadata does not declare it. Do not trust the skill with your mainnet/real wallet key until you verify source and behavior. - The script imports dotenv and will read a .env file if present; ensure you do not store other secrets (or the real private key) in repo .env or in OpenClaw config without understanding the risks. - Verify the skill source (README cites a GitHub repo but registry says source unknown). Prefer installing only from a verified repository and review the full scripts/index.ts yourself. - If you want to test functionality, use an ephemeral/test wallet on BSC Testnet and a disposable account. Avoid providing a production private key until you audit the code and dependency tree (package-lock.json includes many transitive packages via @bitagent/sdk). - Consider running the CLI in an isolated environment (container or separate machine) and inspect all stdout/stderr to ensure no secrets are printed or exfiltrated. If the publisher can update the registry metadata to declare PRIVATE_KEY as a required env var and provide a verifiable source URL/repo, that would reduce ambiguity. As-is, treat this skill as 'suspicious' and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk979j5bepzwh4nswfn2114e9dh80ehrr
1.7kdownloads
1stars
2versions
Updated 1mo ago
v0.1.1
MIT-0
@parasyte-x
latest
Download

BitAgent Skill

This skill uses the BitAgent SDK to interact with bonding curves on BSC. It runs as a CLI only: the agent must execute scripts/index.ts and return the command’s stdout to the user.

Config (required)

Set in OpenClaw config under skills.entries.bitagent-skill.env (or similar) if it is not configured.

  • PRIVATE_KEY — Wallet private key (0x...)

Ensure dependencies are installed at repo root (npm install).

How to run (CLI)

Run from the repo root with env set. The CLI prints output to stdout. You must capture that stdout and return it to the user.

ToolCommandResult
launchnpx tsx scripts/index.ts launch --network <bsc|bscTestnet> --name "<name>" --symbol "<symbol>" --reserve-symbol "<UB|WBNB|USD1>"Deploys a new agent token on a bonding curve. Returns the Contract Address and URL on success.
buynpx tsx scripts/index.ts buy --network <bsc|bscTestnet> --token "<tokenAddress>" --amount "<amount>"Buys a specific amount of tokens. Returns Transaction Hash.
sellnpx tsx scripts/index.ts sell --network <bsc|bscTestnet> --token "<tokenAddress>" --amount "<amount>"Sells a specific amount of tokens. Returns Transaction Hash.

Flow

  1. Launch Agent: When a user wants to create a token or agent, run the launch command. Ensure you ask for Name, Symbol, and which Reserve Token to use (UB, WBNB, USD1) if not provided.
  2. Trade (Buy/Sell): When a user wants to trade, use buy or sell. Requires the Token Address and Amount.

File structure

  • Repo rootSKILL.md, package.json.
  • scripts/index.ts — CLI implementation.

Comments

Loading comments...