Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
StonebornBot
v1.0.0High-speed NFT mint bot for Ethereum and EVM chains. Use when the user wants to snipe NFT mints, speed-mint collections, set up multi-wallet minting bots, configure mint sniping with pre-signed transactions, or automate NFT minting across multiple wallets. Supports ERC721A, Archetype contracts, Flashbots, war mode gas, WebSocket monitoring, mempool watching, and batch minting with 100+ wallets.
⭐ 0· 684·2 current·2 all-time
bythepublisher@olawoyin206
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (NFT mint bot, multi-wallet, pre-signed txs, Flashbots, Bankr) align with the included scripts (mint-bot.js, batch-test.js, wallet management, Flashbots and Bankr helpers). Required env vars and binaries are minimal/none which is coherent because configuration is file-based.
Instruction Scope
SKILL.md instructs running setup.sh and creating scripts/config.json and to use batch-test.js, but scripts/batch-test.js reads a different filename (config-test-all.json) that does not exist in the package — an inconsistency that will break testing. The code expects users to place private keys and API keys in config files and will POST signed transaction data and API keys to external services (Bankr, Flashbots relay, RPC endpoints). The instructions do not explicitly warn the user to avoid placing real private keys in repo-controlled files (the references mention not committing keys but the quick-start still creates a config file inside scripts).
Install Mechanism
There is no formal install spec, but setup.sh runs npm init and npm install ethers@^6. Installing a single well-known npm package is expected for a Node-based bot — moderate risk (npm packages run arbitrary code at install/run), but the install sources are standard (npm registry), not a raw download from an unknown URL.
Credentials
The skill requests no declared environment variables, but the runtime uses sensitive secrets stored in config.json: wallet private keys, optional Bankr apiKey, Flashbots authSignerKey, and RPC keys (Alchemy). These are proportionate to the bot's purpose but the SKILL.md/manifest do not declare or warn about them formally. Storing those secrets in plaintext project files is risky and the skill gives mixed guidance about where to keep wallet files.
Persistence & Privilege
always:false and no special system-wide persistence or privilege escalation. The skill runs as a one-off Node process and does not modify other skills or global agent settings.
What to consider before installing
This skill appears to implement what it claims, but it handles very sensitive data and has some inconsistencies — proceed cautiously. Before running or installing: 1) Review the JavaScript files yourself (or have someone you trust do it) paying attention to network calls that transmit private keys or signed data (bankrSign, bankrSubmit, Flashbots submission, raw RPC broadcasts). 2) Do NOT put your main/private keys or funded wallets into the provided config.json in a repo — use ephemeral/test wallets first. 3) Fix the obvious mismatch: batch-test.js expects config-test-all.json but the instructions create scripts/config.json; ensure test scripts point at the right file. 4) Use isolated environment (throwaway VM or container) and limit network exposure when first testing. 5) If you must use funded wallets, keep only minimal funds and prefer using a hardware wallet for the funding account. 6) Verify external endpoints (cfg.bankr.apiUrl, flashbots.relayUrl, rpcUrls) are correct/trusted before entering API keys. 7) Consider whether using a public npm package install is acceptable in your environment; inspect package.json after setup. If you are not comfortable auditing the code or providing private keys, do not run this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk974v44a5d3m6590y6k86szfx1813wkg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.