ClawQuest: Agent Mine - OpenClaw Managed Mining

v1.0.11

托管自动挖矿服务端接口，支持OpenClaw会话模式和事件增量拉取，实现挖矿启动、状态查询、结算和体力管理。

⭐ 1· 213·0 current·0 all-time

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhzai30/clawquest-agent-mine-openclaw.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "ClawQuest: Agent Mine - OpenClaw Managed Mining" (zhzai30/clawquest-agent-mine-openclaw) from ClawHub.
Skill page: https://clawhub.ai/zhzai30/clawquest-agent-mine-openclaw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawquest-agent-mine-openclaw

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawquest-agent-mine-openclaw

Security Scan

Capability signals

CryptoCan make purchases

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The skill's name/description map to the implemented endpoints and tools: it exposes POST /tool/:name handlers (set_api_code, check_mining_state, start_managed_mining_loop, etc.) and uses X-Api-Code to call the upstream game API. Dependencies (express, zod) and included files implement this purpose and are appropriate.

ℹ

Instruction Scope

SKILL.md explicitly constrains agents to use the Skill's tool API and not call upstream /api/* directly; the runtime code implements that contract. The SKILL.md metadata lists REQUEST_TIMEOUT_MS as a required env var but the registry metadata shows none — the runtime actually reads several env vars (GAME_API_BASE_URL, REQUEST_TIMEOUT_MS, API_CODE_STORE_PATH, multiple MANAGED_* settings). This mismatch between declared requirements and actual env usage should be resolved.

✓

Install Mechanism

No remote install/download steps are declared. The package is a normal Node skill with package.json and small dependencies (express, zod). There is no suspicious installer or third-party URL downloads in the manifest.

Credentials

The skill does not ask for cloud credentials and instead expects per-user apiCode values to be provided at runtime (set via set_api_code). However, the runtime reads many environment variables that were not all declared in the registry metadata (GAME_API_BASE_URL, API_CODE_STORE_PATH, various MANAGED_* flags). In particular API_CODE_STORE_PATH can be set to an arbitrary file path, allowing the skill to write its stored apiCodes to a user-specified location — this is powerful and should be documented/locked down. The skill persists sensitive apiCode tokens to disk by default (data/api-code-store.json), which is a sensitive operation and should be considered when hosting.

ℹ

Persistence & Privilege

always:false (no forced inclusion). The skill persists apiCode values to disk (default path under process.cwd()/data), maintains in-memory session events, and can run managed loops autonomously when started. It does not modify other skills or global agent configs. Storing user apiCodes on disk is normal for this purpose but increases the attack surface (credentials on disk).

Assessment

This skill appears to do what it claims: it implements managed mining tools that call a game API using per-user apiCodes. Before installing, check these items: (1) Confirm where the skill will store apiCodes — default is data/api-code-store.json under the skill's working directory — and ensure that file path and permissions are acceptable (or set API_CODE_STORE_PATH to a secure location). (2) Verify the GAME_API_BASE_URL is the expected/official endpoint (defaults to https://api.km.cocweb3.com). (3) Be aware the skill reads several env vars (REQUEST_TIMEOUT_MS and many MANAGED_* flags) even though the registry metadata didn't list them; ensure you set only the values you trust. (4) Treat any apiCode you provide as sensitive: it is persisted locally and used by the skill to perform game actions. If you need higher assurance, request the author to: add missing env var declarations to metadata, document persistence format/permissions, and provide an option to avoid on-disk storage (in-memory or encrypted storage).

✗

tools.js:3

Environment variable access combined with network send.

tools.js:1

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dne1prjedh0gnzmn8fxax3985jgkq

213downloads

1stars

12versions

Updated 2d ago

v1.0.11

MIT-0

ClawQuest: Agent Mine - OpenClaw Managed Mining

This Skill exposes managed mining tools for OpenClaw session workflows.

Agent rules OpenClaw

Automated agents (including OpenClaw workflows) must follow these constraints:

Tools only: Interact with the game only through this Skill’s tool HTTP API — POST /tool/:name on the skill-openclaw service, using the tool names documented below (set_api_code, check_mining_state, start_managed_mining_loop, etc.). Do not call the upstream game /api/* endpoints directly from the agent, custom scripts, or curl unless this Skill explicitly documents that path as a supported tool (it does not for raw /api/*).
Do not modify source: Do not edit, patch, or fork the skill-openclaw source tree, package.json, or runtime code to “fix” behaviour. Use documented environment variables and this SKILL.md only.
Report errors; do not self-heal in code: If a tool fails or behaviour is unexpected, report the failure (HTTP status, response body, tool name, cacheKey, timestamps, logs). Do not rewrite Skill code, inject alternate HTTP clients, or bypass the tool layer as a workaround.

API Contract

All mining and stamina APIs require X-Api-Code.

POST /api/startMining
POST /api/checkMiningState
POST /api/endMining
POST /api/setAutoMining
POST /api/buyStamina
POST /api/getStamina

(Internal round flow still uses POST /api/setAutoMining, POST /api/startMining and POST /api/endMining via the managed loop implementation; they are not exposed as Skill tools.)

Authentication:

Header: X-Api-Code: <apiCode>

The Skill does not perform game client login. Users must provide apiCode generated in-game.

State Codes

check_mining_state returns apiState and miningState. Numeric values map as follows.

apiState

Value	Name
0	ApiInactive
1	ApiInUse
2	ApiClosing
3	ApiActive

miningState

Value	Name
0	MiningIdle
1	MiningInProgress
2	MiningRewardPending

Tools

set_api_code

Persist an apiCode for later calls.

Inputs:

apiCode (required)
cacheKey (optional, default: default)

get_api_code

Read the cached apiCode.

Inputs:

cacheKey (optional, default: default)

clear_api_code

Delete the cached apiCode.

Inputs:

cacheKey (optional, default: default)

check_mining_state

Query API activation status and mining state. Returns apiState and miningState (see State Codes).

Inputs:

apiCode (optional, falls back to cache)
cacheKey (optional, default: default)

buy_stamina

Buy stamina using diamonds.

Inputs:

apiCode (optional, falls back to cache)
cacheKey (optional, default: default)

get_stamina

Get stamina and diamonds.

Inputs:

apiCode (optional, falls back to cache)
cacheKey (optional, default: default)

start_managed_mining_loop

Start managed loop execution.

Flow:

start_mining — abort on error
wait for estimatedEndAt
loop end_mining — retry on error, round complete on success
record reward
wait round interval and continue

Inputs:

apiCode (optional, falls back to cache)
cacheKey (optional, default: default)
lang (optional)
pollingIntervalMilliseconds (optional)
roundIntervalMilliseconds (optional)
maxConsecutiveErrorCount (optional)
autoBuyStamina (optional)
autoBuyStaminaMaxFailures (optional)
forceRestart (optional)

start_mining_session

Same as start_managed_mining_loop with OpenClaw session binding and event stream.

get_mining_session_events

Read incremental session events.

Inputs:

sinceEventId (optional, default: 0)

get_mining_quick_status

Read lightweight managed loop status.

get_managed_mining_status

Read full managed loop status.

stop_managed_mining_loop

Request safe stop for running managed loop.

Deprecated Tools

start_auto_mining (deprecated)
stop_auto_mining (deprecated)

Suggested Call Order

set_api_code (one-time setup)
start_mining_session
(optional) call get_mining_quick_status or get_mining_session_events on demand — do not set up automatic periodic polling by default
call stop_managed_mining_loop when needed

Error Codes

All API responses include a code field. 0 means success; non-zero values indicate an error.

Common Errors

Code	Name	Description
400	InvalidParams	Invalid or missing parameters (e.g. empty `X-Api-Code` header)
401	AuthFailed	Authentication failed (invalid `apiCode`)
500	InternalServerError	Server internal error
1010	NotEnoughResources	Insufficient resources (diamonds not enough for stamina purchase)

Mining Errors

Code	Name	Description
2003	InsufficientResources	Insufficient stamina to start mining
2008	DiamondNotEnought	Insufficient diamonds
2009	MiningStateConflict	Mining state conflict (e.g. calling `startMining` while already in progress, or `endMining` when not mining via API)
2014	MiningApiNotActive	API mining feature not activated for this player
2018	MiningNotFinished	Mining not finished yet (current time has not reached `estimatedEndAt`)

Environment Variables

Variable	Description
`GAME_API_BASE_URL`	Optional API base URL override (default: `https://api.km.cocweb3.com`)
`REQUEST_TIMEOUT_MS`	Request timeout in milliseconds (default: `8000`)
`MANAGED_MINING_POLL_INTERVAL_MS`	Default polling interval in milliseconds (default: `1000`)
`MANAGED_MINING_ROUND_INTERVAL_MS`	Default round interval in milliseconds (default: `2000`)
`MANAGED_MINING_MAX_CONSECUTIVE_ERROR_COUNT`	Consecutive error stop threshold (default: `10`)
`MANAGED_MINING_AUTO_BUY_STAMINA`	Enable auto-buy on stamina insufficient: `1` or `true`
`MANAGED_MINING_AUTO_BUY_MAX_FAILURES`	Consecutive auto-buy failures stop threshold (default: `3`)
`MINING_SESSION_MAX_EVENTS`	Ring buffer size for events (default: `200`)
`API_CODE_STORE_PATH`	Path for cached apiCode store (default: `./data/api-code-store.json`)
`ORE_TYPE_NAME_MAP_PATH`	Path for ore type display name map (default: `./config/ore-type-map.json`)

Comments

Loading comments...