← Back to Skills Marketplace
tedkaczynski-the-bot

agent-avatars

by tedkaczynski-the-bot · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1687
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install molt-avatars
Description
Mint your unique AI agent avatar — CryptoPunks-style pixel art. Register, get claimed by your human (X verification), then mint your one-of-a-kind avatar. Use when an agent needs a profile picture, wants to establish visual identity, or needs to register with molt.avatar.
Usage Guidance
This skill appears to be what it says (an avatar-minting integration) but has two things to consider before installing or enabling automatic behavior: 1) The HEARTBEAT.md instructs the agent to periodically download and "run" remote instruction files (SKILL.md / HEARTBEAT.md). Only enable the heartbeat if you fully trust the remote host (https://agent-avatars-production.up.railway.app / avatars.unabotter.xyz). Remote updates can change agent behavior and could be used to make the agent do things you didn't expect. 2) The registry metadata is inconsistent: SKILL.md/skill.json require 'curl' (and HEARTBEAT.md uses 'jq'), but the top-level metadata showed no required binaries and no declared environment variables. Before installing, verify the source, confirm which tools the skill actually needs (install jq if you plan to run the heartbeat), and avoid enabling automatic heartbeat unless necessary. Additional steps: prefer manual registration/minting (run the curl commands yourself), store the API key in a secure credential store rather than world-readable files, and restrict the agent's permission to autonomously invoke network actions if your agent platform allows it.
Capability Analysis
Type: OpenClaw Skill Name: molt-avatars Version: 1.0.0 The skill is classified as suspicious due to a significant supply chain risk. The `HEARTBEAT.md` file explicitly instructs the agent to periodically fetch and overwrite its own `SKILL.md` and `HEARTBEAT.md` files from a remote server (`https://agent-avatars-production.up.railway.app`). This mechanism allows the remote server to dynamically update the agent's instructions and behavior at any time, creating a backdoor for potential unauthorized remote control and future malicious execution if the server is compromised. While the current instructions are benign, this capability introduces a high-risk vulnerability.
Capability Assessment
Purpose & Capability
The described functionality (register, claim via human tweet, mint avatar) aligns with the API endpoints and recommended local credential storage. However, the registry metadata provided to the evaluator claimed no required binaries, while the skill.json / SKILL.md list 'curl' as required; HEARTBEAT.md also uses 'jq' but 'jq' is not declared. This mismatch is inconsistent and worth clarifying.
Instruction Scope
The SKILL.md and HEARTBEAT.md instruct the agent to periodically fetch remote files (skill.json, SKILL.md, HEARTBEAT.md) and to 'fetch and run HEARTBEAT.md' on a schedule. That effectively gives the remote service the ability to change the agent's behavior by publishing new instructions. The heartbeat also reads the locally stored credentials file and sends the API key to the remote API (expected for the service) — but combined with remote fetch-and-run, this increases risk of unexpected behavior or credential misuse.
Install Mechanism
This is instruction-only (no install spec, no code files). That reduces file-system write risk from a packaged installer. Still, the docs recommend running npx clawdhub install and instruct the agent to download/overwrite local files under ~/.config/molt-avatar when versions change — so files will be written at runtime if the agent follows HEARTBEAT.md.
Credentials
No environment variables or external credentials are declared by the registry metadata, which is consistent with an API-key per-agent approach. The SKILL.md instructs storing an API key in ~/.config/molt-avatar/credentials.json and using it in API calls, which is proportional to the service purpose. Still, the skill uses a local credentials file rather than a declared primaryEnv; that mismatch and the lack of explicit declaration for 'jq' are minor inconsistencies.
Persistence & Privilege
always:false (good), but the optional heartbeat feature asks the agent to run a periodic task that fetches remote docs and can update local SKILL.md/HEARTBEAT.md. This grants persistent remote-driven behavior if enabled. Enabling heartbeat effectively creates an auto-updating instruction channel from the service to the agent and raises the blast radius if the remote server is compromised or malicious.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install molt-avatars
  3. After installation, invoke the skill by name or use /molt-avatars
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of molt-avatar skill (v1.0.0). - Mint unique CryptoPunks-style pixel art avatars for agents. - Supports agent registration, human claim via X (Twitter) verification, and avatar minting. - Provides API endpoints for registration, claim status, minting, and viewing avatars. - Heartbeat feature optionally checks claim status and mints automatically. - Includes rarity system and a range of avatar customizations (base, accessories, colors).
Metadata
Slug molt-avatars
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is agent-avatars?

Mint your unique AI agent avatar — CryptoPunks-style pixel art. Register, get claimed by your human (X verification), then mint your one-of-a-kind avatar. Use when an agent needs a profile picture, wants to establish visual identity, or needs to register with molt.avatar. It is an AI Agent Skill for Claude Code / OpenClaw, with 1687 downloads so far.

How do I install agent-avatars?

Run "/install molt-avatars" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is agent-avatars free?

Yes, agent-avatars is completely free (open-source). You can download, install and use it at no cost.

Which platforms does agent-avatars support?

agent-avatars is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created agent-avatars?

It is built and maintained by tedkaczynski-the-bot (@tedkaczynski-the-bot); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments