ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Buy Sovereign Domain (Handshake DNS)

v1.0.0

Register sovereign domains (.badass, .forever, .fuck, .rebel, .pump, .hello, .howdy, .robo, .dnet, .f, bear emoji) on Ethereum mainnet via Impervious Domains...

0· 670·0 current·0 all-time
by@techno-hippies

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for techno-hippies/buy-handshake-domain.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Buy Sovereign Domain (Handshake DNS)" (techno-hippies/buy-handshake-domain) from ClawHub.
Skill page: https://clawhub.ai/techno-hippies/buy-handshake-domain
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ETHEREUM_RPC_URL
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install buy-handshake-domain

ClawHub CLI

Package manager switcher

npx clawhub@latest install buy-handshake-domain
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (registering Handshake-like domains on Ethereum via Impervious Domains contracts) aligns with requiring an Ethereum RPC endpoint, but the skill claims it will mint ERC‑721 NFTs yet does not declare how transactions will be signed or how the user's wallet is supplied.
!
Instruction Scope
SKILL.md instructs the agent to follow a full procedure and points to `{baseDir}/../../skills.md` for ABIs, addresses, and safety constraints — those files are not included. The instructions implicitly require sending signed transactions (commit/reveal) and waiting for confirmations but give no guidance on where signing keys or user wallet access come from. Referencing files outside the skill bundle is scope creep and could cause the agent to read arbitrary host files.
Install Mechanism
No install spec and no code files — lowest-risk delivery method. However, being instruction-only means the runtime behavior depends entirely on what the agent is told to do (e.g., network calls to the RPC).
!
Credentials
Only ETHEREUM_RPC_URL is declared, but minting on-chain requires transaction signing (private key, hardware wallet, or user-signed payloads). The absence of any declared signing credential or explicit user-interactive signing workflow is a mismatch and could lead to the skill asking for private keys or other secrets at runtime. Also ETHEREUM_RPC_URL may embed API keys — the skill provides no guidance on acceptable RPC providers or scopes.
Persistence & Privilege
always is false, no config paths requested, and no install steps that modify system or other skills. Persistence/privilege requirements appear minimal.
What to consider before installing
This skill is ambiguous rather than clearly malicious, but proceed cautiously. Before installing or using it, ask the author to: (1) provide the full ABIs and contract addresses used (not a relative `{baseDir}` reference), (2) explicitly describe how transactions are signed (do not share private keys — prefer user-side signing or hardware wallet), and (3) show the exact RPC endpoints and explain any API keys. Never paste your private key or seed phrase into the agent; instead, require the agent to prepare unsigned transactions for you to sign offline or via your wallet. If you must test, use a fresh ephemeral wallet with minimal funds on a testnet first and verify every transaction payload and destination contract address. If the skill asks to read local files outside its bundle or to accept a private key, decline until the above are clarified. If the skill's source or homepage is unknown, prefer not to grant sensitive access (private keys, full-access RPC endpoints) until the code or a trustworthy origin is available.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvETHEREUM_RPC_URL
latestvk978wakwy2z0dc2148hh7qb0v58174h9
670downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@techno-hippies
latest
Download

See the full registration skill spec at {baseDir}/../../skills.md.

This skill registers <label>.<tld> domains as on-chain ERC-721 NFTs using Impervious Domains contracts (ENS fork) on Ethereum mainnet.

Recommended TLDs

TLDVibe
.badassOG flagship — default choice, cheapest
.foreverPermanence, legacy
.fuckIrreverent, punk
.rebelCounter-culture
.pumpDegen / trading culture
.helloFriendly, approachable
.howdyCasual, warm
.roboTech / AI identity
.dnetDecentralized network
.fMinimal, one-letter flex
xn--gp8hBear emoji domain

Quick summary

  1. User picks a label + TLD
  2. Commit/reveal pattern (two transactions, ~1 min wait between)
  3. Domain minted as ERC-721 to user's wallet
  4. Full procedure, ABIs, safety constraints, and contract addresses in {baseDir}/../../skills.md

Comments

Loading comments...