Bloom Discovery
v4.0.2Agent-native discovery skill for the intent economy. Analyzes your MentalOS, matches use cases to your installed skills, lets you claim SBT proof, and option...
⭐ 0· 418·1 current·1 all-time
byBloom Protocol@bloomprotocol
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The README/SKILL.md advertise local-only analysis and 'no API keys required', yet the repository and scripts reference environment configuration (JWT_SECRET in README and several test scripts), a BLOOM_API_URL, and code that posts identity/recommendation payloads to a remote API. mission-skill.json also declares BLOOM_API_URL and optional wallet envs. Asking for network and optional wallet parameters is coherent for claiming SBTs and dashboard features, but the registry metadata claimed no required envs/credentials which is inconsistent.
Instruction Scope
Runtime docs and scripts explicitly read conversation session files (~/.openclaw/agents/.../sessions/*.jsonl) and the installed-skill directory (~/.openclaw/skills/), which matches the stated behavior. However the codebase and tests build API payloads containing identityData and recommendations and show POSTs to /api/ endpoints. SKILL.md promises 'minimal transmission' and 'raw conversation text never sent', but test scripts assemble and (in simulation) would POST full identityData + recommendations — that gap between 'only top-level scores' vs. test payloads is a substantive mismatch. Also the project includes helper scripts that generate JWTs and dashboard URLs (generate-fresh-token.ts, test-with-real-analysis.ts) which, if run, create auth tokens tied to a secret.
Install Mechanism
The skill package is delivered with many code files but no install spec in the registry (instruction-only). That lowers automatic install risk, but the bundle contains runnable scripts and a package.json with dependencies (including puppeteer, viem, twitter-api-v2). If you run npm install / npm run scripts locally you will fetch many third-party packages; nothing is downloaded from an untrusted URL at install time, but executing the included scripts will run non-trivial code from the repo.
Credentials
Registry metadata declares no required env vars, but README, package.json scripts, and test files require or recommend JWT_SECRET, BLOOM_API_URL, DASHBOARD_URL, and (optionally) wallet-related envs. Several dev/test scripts will fail or throw if JWT_SECRET is missing. The presence of jwt signing and token-generation code (generate-fresh-token.ts, test-with-real-analysis.ts) means a secret named JWT_SECRET is meaningful and powerful; that is disproportionate to a purely local analyzer and should be explicitly declared and justified.
Persistence & Privilege
The SKILL.md claims minimal writes (only ~/.bloom/agent-id.json and bloom-discoveries.md). The docs also instruct copying an 'openclaw-wrapper' into ~/.openclaw/skills/ (writing into the agent skills directory). The package includes mission/mission-cli scripts that reference agent wallet and heartbeat behavior. While 'always' is false, the skill contains scripts and wrappers that, if installed/copied, will modify the user's ~/.openclaw/skills and write agent files — a legitimate feature but worth flagging because it changes your skills directory and can create dashboard tokens and agent wallets.
What to consider before installing
What to check before installing/use:
- Confirm expected env vars: the registry lists none but the repo and README reference JWT_SECRET, BLOOM_API_URL, DASHBOARD_URL and optional wallet envs. Treat JWT_SECRET as sensitive — do not set it unless you understand what tokens the skill will mint and who accepts them.
- Avoid running developer/test scripts (generate-fresh-token.ts, test-* scripts) unless you intentionally want to create JWTs or test tokens. Those scripts require JWT_SECRET and will produce signed tokens and dashboard URLs.
- Verify exactly what is sent to the Bloom backend: SKILL.md promises 'minimal transmission', but several test files build/POST identityData and recommendations. If you require strict offline analysis, inspect the code paths that call api.bloomprotocol.ai and run the skill offline or block that network endpoint.
- Inspect openclaw-wrapper/execute.sh and scripts/run-from-session.ts to confirm they only read session files and do not upload raw conversation text. If you prefer, run the skill in a sandboxed environment first and monitor outgoing network calls (e.g., with a proxy or by setting BLOOM_API_URL to a local endpoint).
- If you do not want files written into ~/.openclaw/skills, do not copy the openclaw-wrapper into your skills directory. Check what the wrapper will create before accepting it.
- Run static audits: npm audit, review package.json scripts, and search source for any code that reads files outside the home directory or posts full conversation text. Pay attention to integrations (twitter/X, farcaster) that may access external accounts.
Bottom line: the core functionality (local analysis + matching) appears coherent, but the repo contains scripts and configuration for token generation and networked flows that are not fully declared in the registry metadata — review and limit those before use.scripts/deploy-sbt.ts:40
Shell command execution detected (child_process).
src/integrations/bird-twitter.ts:103
Shell command execution detected (child_process).
src/bloom-identity-skill-v2.ts:77
Environment variable access combined with network send.
src/bloom-mission-skill.ts:14
Environment variable access combined with network send.
src/discovery-sync.ts:140
Environment variable access combined with network send.
src/metrics/reporter.ts:16
Environment variable access combined with network send.
src/recommendation-pipeline.ts:315
Environment variable access combined with network send.
src/registry/erc8004.ts:51
Environment variable access combined with network send.
src/usecase/claim.ts:13
Environment variable access combined with network send.
src/utils/disk-cache.ts:45
Environment variable access combined with network send.
src/bloom-identity-skill-v2.ts:44
File read combined with network send (possible exfiltration).
src/discovery-sync.ts:52
File read combined with network send (possible exfiltration).
src/utils/disk-cache.ts:8
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌸 Clawdis
Binsnode, npx
SKILL.md
Bloom Discovery Skill
Don't browse 13,000 skills. Browse use cases.
Bloom Discovery is an agent-native skill that analyzes how you work, matches you to curated use cases, verifies your configuration, and lets you claim on-chain proof — so your agent works for you, not the other way around.
Capabilities
1. Personality Analysis (MentalOS)
Reads your USER.md and conversation history (~120 messages) to map your builder personality across 4 dimensions:
- Learning (學習風格): Try First ↔ Study First
- Decision (決策風格): Gut ↔ Deliberate
- Timing (採用時機): Pioneer ↔ Pragmatist
- Focus (投入方式): All-In ↔ Diversified
Outputs: Personality type (Visionary / Explorer / Cultivator / Optimizer / Innovator), custom tagline, hidden pattern insight, AI edge guide. Includes displayLabels with en/zh translations for all sections.
2. Use Case Discovery
Intent-driven skill browsing. Instead of searching 13,000 skills, you describe what you want to accomplish and Bloom matches you to curated use cases — each a tested combination of skills.
- Fetches use case catalog from Bloom API
- Matches against your personality spectrum (novelty-seekers get new use cases, risk-averse skip DeFi)
- Keyword frequency threshold (≥ 3 mentions) to avoid noise
3. Verify Configuration & Claim SBT
Scans your installed skills (~/.openclaw/skills/) and verifies whether you have the right setup for a given use case.
- Compares installed skills against use case requirements
- Shows match percentage and missing capabilities
- Claim flow: verified config → POST /api/claim → mint SBT or get web link
- SBT = on-chain proof that you have a verified configuration
4. ERC-8004 Identity Registration
Register your agent identity on the ERC-8004 Agent Identity Registry (Base mainnet).
- Sends your agent profile (name, skills, endpoint) to backend for registration
- Backend handles the on-chain transaction
- Registry contract:
0x8004A169FB4a3325136EB29fA0ceB6D2e539a432
5. Usage Metrics (Opt-in)
Anonymized usage reporting to improve recommendations for everyone.
- Reads local OpenClaw skill directory to count install days and usage frequency
- Reports only: skill name + usage count (no conversation content, no personal data)
- Opt-in only — never sends data without explicit user consent
- POST /api/metrics with minimal payload
Security & Privacy
✅ Local analysis — Conversation text analyzed on your machine, never uploaded
✅ Local Differential Privacy (ε=1.0) — Spectrum scores noised via Laplace mechanism before transmission
✅ SHA-256 fingerprint — Conversation hashed locally; only irreversible hash stored for dedup
✅ Minimal transmission — Server receives personality type + approximate scores only
✅ Minimal writes — Writes only ~/.bloom/agent-id.json (returning user token, 0600 permissions) and bloom-discoveries.md (local sync log). Never modifies session files or USER.md
✅ Atomic file writes — Uses tmp+rename pattern to prevent corruption
✅ User-initiated — Only runs when you explicitly invoke the skill
✅ Opt-in metrics — Usage data never sent without consent
✅ Open source — Full source at github.com/bloomprotocol/bloom-discovery-skill
❌ Raw conversation text is never sent to any server ❌ Wallet private keys are never transmitted ❌ Personal identifiable information is never collected ❌ No background data collection — only runs on explicit invocation
Triggers
- "generate my bloom identity"
- "create my identity card"
- "analyze me"
- "what's my builder type"
- "discover my personality"
- "create my bloom card"
- "find use cases for me"
- "verify my config"
- "claim my SBT"
- "what use cases match my skills"
Data Sources
Primary: USER.md + Conversation History
- USER.md — Declared role, tech stack, interests, working style. Injected as first-class text into the personality analyzer. Falls back gracefully if not present.
- Conversation history — Always available from OpenClaw sessions. Analyzes topics, interests, engagement patterns.
- Requires: Minimum 3 messages in your session. If less than 3 messages, the skill returns a clear error.
Secondary: Installed Skills
- ~/.openclaw/skills/ — Scanned locally for use case verification. Never uploaded.
Output
- Personality type (Visionary / Explorer / Cultivator / Optimizer / Innovator)
- Custom tagline and description
- MentalOS spectrum (Learning, Decision, Novelty, Risk — each 0-100)
- Hidden pattern insight + AI-era playbook
- Main categories and subcategories
- Matched use cases with verification status
- Recommended skills from the Bloom skill catalog (with match scores)
- Dashboard link at bloomprotocol.ai
Technical Details
- Version: 4.0.1
- Privacy: LDP ε=1.0 + SHA-256 fingerprint
- Analysis Engine: MentalOS spectrum (4 dimensions) + category mapping
- Primary Signal: Conversation memory (~120 messages) + USER.md
- Processing Time: ~60 seconds (personality) + ~5 seconds (use case matching)
- Output: Personality card + use case matches + tool recommendations + dashboard URL
- Network: Base (mainnet) — configurable via NETWORK env var
- On-chain: ERC-8004 Identity Registry + BloomExclusivePass SBT
Requirements
- Node.js 18+
- No API keys or secrets required — the skill works out of the box
- Optional environment variables:
BLOOM_API_URL— API URL (default: https://api.bloomprotocol.ai)DASHBOARD_URL— Dashboard URL (default: https://bloomprotocol.ai)
Installation
git clone https://github.com/bloomprotocol/bloom-discovery-skill.git
cd bloom-identity-skill
npm install
Built by Bloom Protocol
Files
83 totalSelect a file
Select a file to preview.
Comments
Loading comments…