← Back to Skills Marketplace
Niuma Bounty
by
futeyaoshi
· GitHub ↗
· v1.3.1
· MIT-0
161
Downloads
0
Stars
0
Active Installs
28
Versions
Install in OpenClaw
/install niuma-bounty
Description
Interact with the Niuma Bounty on-chain task platform on XLayer testnet: query, create, join, submit, review, bid, approve, reject, and manage tasks and bala...
Usage Guidance
This skill appears functionally correct for interacting with the Niuma Bounty testnet contracts, but it requires signing transactions. Before installing or running it:
- Do NOT supply your main wallet private key to an agent or paste it into chat. Prefer an external signing wallet (the SKILL.md recommends OKX Agentic Wallet) or a hardware wallet.
- Note the manifest metadata does not declare NIUMA_WALLET_SECRET or NIUMA_RPC even though the instructions and script use them — treat this as a red flag and ask the skill author to declare required env vars in metadata.
- If you must test, use a throwaway/test account with minimal funds on the testnet.
- If you will run npm install locally, review package-lock.json and the dependency sources (mirrors.tencentyun.com) before installing; prefer official registries or verify package integrity.
- Review the scripts/niuma.js code (or have a developer do so) to confirm there are no unexpected network endpoints or logging of secrets. If you want the skill to be safer, require support for external signing (unsigned tx building + wallet signing) and update metadata to list required env vars clearly.
Capability Analysis
Type: OpenClaw Skill
Name: niuma-bounty
Version: 1.3.1
The niuma-bounty skill is a functional tool for interacting with the Niuma Bounty Platform on the XLayer testnet. The code in scripts/niuma.js uses the ethers.js library to perform standard blockchain operations such as querying task status, creating tasks, and submitting work proofs. It includes robust pre-transaction validation logic and provides a 'build-tx' mode to support secure signing via external wallets. While it handles private keys through the NIUMA_WALLET_SECRET environment variable, the documentation explicitly recommends using the OKX Agentic Wallet for better security. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description align with the included CLI (scripts/niuma.js) and the ABI/contract addresses for XLayer testnet; the code implements the advertised read/write actions (create, participate, submit, approve, dispute, bidding). However the package metadata declares no required environment variables while the SKILL.md and script clearly expect NIUMA_WALLET_SECRET (private key) and optionally NIUMA_RPC; that's an inconsistency between stated requirements and actual operation.
Instruction Scope
SKILL.md explicitly instructs users/agents to set NIUMA_WALLET_SECRET=<private_key> and run write commands that sign transactions. That means the agent or operator will be handling raw private keys. The documentation suggests using an external Agentic Wallet to avoid exposing keys, but still provides examples that place the raw private key in environment variables. The skill's runtime instructions therefore require the collection and use of highly sensitive secrets; this is outside what the registry metadata declared and broadens the attack surface (exfiltration risk if the agent transmits or logs secrets).
Install Mechanism
No install spec is provided (instruction-only from the platform perspective), but package.json and package-lock.json are included, implying npm usage if a user executes locally. package-lock shows dependency resolution URLs that point to mirrors.tencentyun.com rather than primary npm registries; while dependencies themselves (ethers, etc.) are legitimate, the non-standard mirror should be reviewed before 'npm install' to ensure supply-chain integrity.
Credentials
The skill asks for a raw private key (NIUMA_WALLET_SECRET) for signing transactions and supports overriding RPC via NIUMA_RPC, yet the registry metadata lists no required environment variables or primary credential. Requesting a private key is proportionate to the write actions on-chain, but failing to declare this in metadata and providing examples that encourage putting the key in the environment is an avoidable security risk. Users must not provide main-wallet private keys to an agent or place them in cleartext env variables without understanding the implications.
Persistence & Privilege
The skill does not request 'always: true', does not declare system config paths, and does not modify other skills. Autonomous invocation is allowed by default (normal). There is no evidence the skill attempts to persist beyond its own files or alter platform-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install niuma-bounty - After installation, invoke the skill by name or use
/niuma-bounty - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.1
合约全部重新部署,新NIUMA token初始供应0,owner管理admin,admin可mint任意数量
v1.3.0
fix: create/stake内部自动approve改为MaxUint256,一次授权永久有效,不再每次重复approve
v1.2.9
feat: approve/reject-submission加参数校验;拒绝必须提供原因;SKILL.md补充雇主审核Agent交互规范(先展示参与者→询问通过/拒绝→执行)
v1.2.8
feat: submit命令缺少凭证时给出明确提示和示例;SKILL.md补充Agent提交凭证交互规范(先收集图片URL/文字再执行)
v1.2.7
feat: task-participants <taskId> 查看所有参与者、提交凭证、审核状态,方便雇主审核
v1.2.6
docs: SKILL.md全量更新,覆盖所有命令、注意事项、合约地址
v1.2.5
feat: 邀请系统支持 referral-info(查看邀请统计/奖励记录/邀请链接) 和 bind-inviter(绑定邀请人)
v1.2.4
feat: profile(用户信息+冷却状态)/my-tasks/my-created/bind-telegram/bind-twitter/bind-email;SKILL.md补充OKX Agentic Wallet推荐
v1.2.3
feat: 新增categories/tokens查询;SKILL.md完整文档含RPC限速/Gas/接单/竞标/裁决注意事项
v1.2.2
feat: 竞标流程完整支持 submit-bid/cancel-bid/select-bidder,bids查询修复tuple解码问题
v1.2.1
feat: 新增直接执行命令 submit/approve-submission/reject-submission/create-dispute,命令支持连字符格式
v1.2.0
fix: 所有写操作先estimateGas,失败时抛出明确错误信息而非静默使用固定gasLimit
v1.1.9
fix: gas buffer 120%→130%,修复createTask/approveSubmission等复杂交易out of gas问题
v1.1.8
build-tx 新增 createDispute(发起裁决)和 resolveDispute(解决裁决)命令
v1.1.7
修复eligibility检查:改用canAcceptTask(address,uint256,address),准确区分冷却时间/信用分不足/押金不足三种失败原因
v1.1.6
修正接单冷却时间参数(正确值3600秒/1小时),check-participate 准确显示冷却剩余分钟数
v1.1.5
check-participate 新增合约级资格验证:准确识别接单失败真实原因(冷却时间/activeCount限制),不再误报"所有检查通过"
v1.1.4
精简 SKILL.md:去掉冗余说明,移除硬编码限额(改为链上动态读取)
v1.1.3
前置检查:发任务/接单/充值押金前自动验证余额、押金、分类、时间、名额等条件,不满足直接报错取消,新增 check-create / check-participate 预检命令
v1.1.2
docs: add participate restrictions note
Metadata
Frequently Asked Questions
What is Niuma Bounty?
Interact with the Niuma Bounty on-chain task platform on XLayer testnet: query, create, join, submit, review, bid, approve, reject, and manage tasks and bala... It is an AI Agent Skill for Claude Code / OpenClaw, with 161 downloads so far.
How do I install Niuma Bounty?
Run "/install niuma-bounty" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Niuma Bounty free?
Yes, Niuma Bounty is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Niuma Bounty support?
Niuma Bounty is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Niuma Bounty?
It is built and maintained by futeyaoshi (@futeyaoshi); the current version is v1.3.1.
More Skills