← Back to Skills Marketplace
saltorioussig

POIDH Bounty Bot

by saltoriousSIG · GitHub ↗ · v1.0.3
cross-platform ⚠ suspicious
557
Downloads
1
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install poidh
Description
Post bounties and evaluate/accept winning submissions on poidh (pics or it didn't happen) on Arbitrum, Base, or Degen Chain. Use this skill when the user wan...
Usage Guidance
This skill will need your wallet private key and an RPC URL to operate — both are highly sensitive. Before installing or using it: (1) Confirm with the publisher why the registry metadata omitted the PRIVATE_KEY / RPC_URL / binaries listed in SKILL.md. (2) Prefer safer signing: use a dedicated ephemeral EOA with minimal funds, a remote signer, or hardware wallet rather than pasting your main private key. (3) If you must provide a key, avoid passing it on the command line (the examples do); that exposes it to process listings and logs. (4) Test with very small amounts on the target chain and verify the contract addresses and MIN_BOUNTY_AMOUNT on-chain yourself. (5) Be aware the agent will fetch and evaluate arbitrary external URIs attached to claims — those URIs can host malicious content or tracking. If you are uncomfortable with these risks or cannot use a delegated signer, do not install/enable this skill.
Capability Analysis
Type: OpenClaw Skill Name: poidh Version: 1.0.3 This skill is classified as suspicious due to its inherent vulnerability surface related to fetching and evaluating arbitrary external content from untrusted sources. The skill instructs the AI agent to retrieve claim URIs (e.g., IPFS, Arweave, HTTP links) and then fetch and process the content (images, web pages, videos, documents) using Python's `requests.get()` and the agent's native vision/web fetch tools. A malicious claimant could provide a specially crafted URI pointing to content designed to exploit vulnerabilities in the agent's processing capabilities (e.g., image parsers, web renderers), potentially leading to remote code execution or data exfiltration from the agent's environment. While the skill's stated purpose is benign, this mechanism introduces a significant attack vector, making it a critical vulnerability rather than direct malicious intent within the skill's code itself. Additionally, the skill requires access to a `PRIVATE_KEY` for on-chain transactions, which, while necessary for its function, elevates the risk profile if the agent were to be compromised through the aforementioned content processing vulnerability.
Capability Assessment
Purpose & Capability
The SKILL.md clearly requires a PRIVATE_KEY, RPC_URL, and POIDH_CHAIN and lists required binaries (cast, python3) to sign and send transactions and to fetch/evaluate claims. Those requirements are coherent with the stated purpose (creating and accepting Poidh bounties). However, the registry metadata reported earlier (no required env vars / no required binaries) contradicts SKILL.md. That mismatch is notable: either the registry metadata is incomplete or the instructions are out-of-date.
Instruction Scope
Runtime instructions direct the agent to use the user's EOA PRIVATE_KEY to sign transactions (cast send --private-key), query the chain, fetch claim URIs (which can be arbitrary external URLs/IPFS/tweets/pages), and evaluate content via vision. Fetching and evaluating arbitrary external content is expected for this task but expands the attack surface (malicious payloads, tracking URLs). Using the raw private key on the agent and passing it as a CLI argument increases exposure (process lists, logs).
Install Mechanism
This is an instruction-only skill with no install spec or code files, which minimizes file-system risk. SKILL.md does declare required binaries (cast, python3) but the registry claimed none — the inconsistency should be resolved. No downloads or external installers are present.
Credentials
Requesting a full PRIVATE_KEY and RPC_URL is functionally necessary to post/accept on-chain bounties, but it is a high-privilege secret. The skill does not propose safer alternatives (e.g., signing via a hardware wallet, remote signer, or delegated service). Passing the private key on the command line (as shown) can leak it via process listings or logs. The declared registry metadata failing to list these env vars is an additional red flag.
Persistence & Privilege
The skill is not marked always:true and has no install spec that writes persistent binaries or modifies other skills. Autonomous invocation is allowed (default) but is not, by itself, a new concern; combine that with the private key requirement and fetching external content for higher risk.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install poidh
  3. After installation, invoke the skill by name or use /poidh
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
poidh v1.0.3 - Added Degen Chain support (new contract address, explorer, and bounty minimums). - Updated description and instructions to cover Arbitrum, Base, and Degen. - Added chain-specific poidh.xyz URL and frontend bounty ID offset logic. - Updated command examples for returning frontend-ready URLs and IDs when posting bounties. - Improved clarity and accuracy of environment variable and chain selection documentation.
v1.0.2
poidh v1.0.2 - Added explicit documentation for minimum bounty and minimum contribution amounts per supported chain (Arbitrum, Base, Degen). - Advised users to always verify minimums on-chain using the relevant contract calls. - No functional code changes; update strictly improves clarity and onboarding for bounty creators and contributors.
v1.0.1
- Added multi-chain support: use the `POIDH_CHAIN` variable to target `arbitrum`, `base`, or `degen` (contract addresses are resolved automatically). - Removed manual `POIDH_CONTRACT_ADDRESS` configuration; it is now derived from `POIDH_CHAIN`. - Updated task instructions and URLs to adapt dynamically to the selected chain. - Environment variable setup, chain references, and explorer/documentation links are clarified for all supported networks.
v1.0.0
Initial Commit
Metadata
Slug poidh
Version 1.0.3
License
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is POIDH Bounty Bot?

Post bounties and evaluate/accept winning submissions on poidh (pics or it didn't happen) on Arbitrum, Base, or Degen Chain. Use this skill when the user wan... It is an AI Agent Skill for Claude Code / OpenClaw, with 557 downloads so far.

How do I install POIDH Bounty Bot?

Run "/install poidh" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is POIDH Bounty Bot free?

Yes, POIDH Bounty Bot is completely free (open-source). You can download, install and use it at no cost.

Which platforms does POIDH Bounty Bot support?

POIDH Bounty Bot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created POIDH Bounty Bot?

It is built and maintained by saltoriousSIG (@saltorioussig); the current version is v1.0.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments