← Back to Skills Marketplace

StorJ Agent

Name: StorJ Agent
Author: nightcode112

by Kay · GitHub ↗ · v2.0.0

linuxdarwinwin32 ⚠ suspicious

462

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install storj-agent

Description

Autonomous economic agent that earns BTC & SOL by selling storage, compute, and bandwidth. Pays its own hosting, manages subagents, posts tweets, and replica...

Usage Guidance

Do NOT run or deploy this skill with real secrets or real funds. Specific concerns and next steps: - Stop: the repo already contains hardcoded API keys, a Supabase key, Storj credentials, and Twitter tokens in source files and twitterdata.txt. Treat those values as compromised. - Do not set your real SOL/BTC wallet or API keys into this process until the code is audited and cleaned. - Fixes required before trusting: remove all hardcoded secrets; use only environment variables as documented; remove any leftover credential files; and rotate any keys that were leaked in these files. - Fix critical bugs: the payment verification function returns (bool, message) but the endpoint treats it as boolean; this logic currently allows bypassing payment checks. Also fix the replay-protection flow (do not mark a signature as used before verifying payment and ensure atomic checks against a durable store). - Audit network endpoints: review Supabase URL/key, OpenRouter endpoint usage, rclone target (storjy:firstbucket) and any access grants. Treat the included SUPABASE_KEY/STORJ_ACCESS/ACCESS_GRANT as compromised and rotate them. - Principle-of-least-privilege: run any further tests in an isolated environment (no real wallets, no production keys), and disable autonomous operation until you can confirm correct verification and security controls. - If you need this functionality, ask the author for a clean release that: uses env vars only, documents exactly which keys are needed, removes embedded test data/base64 dumps, and includes unit tests demonstrating correct payment verification and replay-resistance. If the source/author is unknown or cannot explain these issues, consider this skill untrustworthy.

Capability Analysis

Type: OpenClaw Skill Name: storj-agent Version: 2.0.0 The skill bundle is classified as suspicious due to critical security vulnerabilities. Multiple sensitive API keys and secrets (OpenRouter, Twitter, Supabase, Storj) are hardcoded in `mainapp.py` and `services/tasking.py`, directly violating the `SKILL.md` instruction to use environment variables. More critically, the `upload_file_rclone` function in `services/tasking.py` is vulnerable to shell injection, as it uses unsanitized user-provided `filename` directly in a `subprocess.run` command, allowing arbitrary command execution on the host system. Additionally, `blockchain/blockchain.py` includes a `generate_wallets` function that saves private keys to a local JSON file, marked 'FOR TESTING ONLY', which poses a risk if misused.

Capability Assessment

⚠ Purpose & Capability

The declared purpose (a StorJ autonomous agent selling storage/compute and posting tweets) matches many requested binaries (python3, rclone) and external services (Storj, OpenRouter, Twitter, Supabase). However the code embeds many secrets/constants (Twitter tokens, Supabase key, OpenRouter key, Storj keys, a hardcoded wallet address) instead of using the declared environment variables. The skill asks for environment variables but does not consistently use them (e.g., SOL_WALLET_ADDRESS is declared primary but the code uses a hardcoded YOUR_WALLET). This mismatch is a strong incoherence between stated design and implementation.

⚠ Instruction Scope

SKILL.md and code claim 'never expose keys' and 'verify on-chain payment before delivering service', but the code hardcodes many secrets and the pay_and_upload endpoint exhibits logic bugs: it upserts/saves signatures before verifying payment (and uses an in-memory set poorly), and calls blockchain.verify_sol_payment which returns a (bool, message) tuple while the endpoint treats it as a plain boolean — this pattern will evaluate truthy for both success and failure and effectively allows bypassing payment verification. The endpoint also decodes and writes uploaded base64 files to disk and runs rclone via subprocess; these behaviors are within the skill's claimed scope but the verification and replay-protection flows are implemented incorrectly and dangerously.

ℹ Install Mechanism

There is no install specification (instruction-only in metadata), but the package includes multiple code files and a package.json. No remote downloads or archive extracts are present in the manifest, and the code relies on local binaries (rclone, uvicorn/python). Risk is primarily from running shipped code, not from an installer pulling arbitrary binaries.

⚠ Credentials

The skill declares many required secrets (OpenRouter, Twitter, Supabase, Storj credentials, SOL wallet) — which are plausible for the stated functionality — but the repository already contains hardcoded values for many of those credentials (in mainapp.py, services/tasking.py, and twitterdata.txt). That both contradicts the guidance in SKILL.md and increases the risk of credential leakage or misuse. The primaryEnv (SOL_WALLET_ADDRESS) is declared but not actually used; instead a hardcoded wallet address is used for payments, which is misleading and dangerous.

⚠ Persistence & Privilege

always:false (good), but the skill is allowed to run autonomously and includes code paths that can post to Twitter, call external APIs (OpenRouter, Supabase), and send blockchain transactions. Combined with hardcoded credentials and the broken verification logic, autonomous operation increases the blast radius — the agent could accept uploads without real payment, post tweets from embedded accounts, or use embedded keys to interact with external services without the user's consent.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install storj-agent
After installation, invoke the skill by name or use /storj-agent
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.0

Major update: Storj-agent 2.0.0 introduces a fully autonomous crypto-earning agent with advanced self-management and economic survival features. - Adds autonomous sales of storage, compute, and bandwidth for BTC & SOL, managing finances, hosting, and subagents independently. - Supports pay-and-upload storage with on-chain SOL payment verification and rclone integration. - Implements autonomous tweet generation and posting with OpenRouter and strict persona/guardrails. - Provides full lifecycle management of subagents, including spawning, evaluation, evolution, and reinvestment. - Introduces wallet management and payment functions for both Bitcoin and Solana chains. - Enforces strict security on env variables, private key secrecy, and operation guardrails.

Metadata

Slug storj-agent

Version 2.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is StorJ Agent?

Autonomous economic agent that earns BTC & SOL by selling storage, compute, and bandwidth. Pays its own hosting, manages subagents, posts tweets, and replica... It is an AI Agent Skill for Claude Code / OpenClaw, with 462 downloads so far.

How do I install StorJ Agent?

Run "/install storj-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is StorJ Agent free?

Yes, StorJ Agent is completely free (open-source). You can download, install and use it at no cost.

Which platforms does StorJ Agent support?

StorJ Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).

Who created StorJ Agent?

It is built and maintained by Kay (@nightcode112); the current version is v2.0.0.

More Skills