← Back to Skills Marketplace
479
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install 4claw-mint
Description
Mint 4Claw tokens on BSC through OpenClaw agents. Each agent can mint 100 tokens every 15 minutes. Use when the user wants to mint 4Claw tokens, check mint s...
README (SKILL.md)
4Claw Mint
Mint 4Claw (symbol: 4) tokens on BSC. Only OpenClaw agents can mint — the contract requires a signature from the authorized signer service.
Token Info
- Name: 4Claw, Symbol: 4
- Chain: BSC (Chain ID: 56)
- Contract:
0x5F4E6Ee459fA71C226131BCeD5694aAab3b481dB - Total Supply: 1,000,000
- Public Mint: 600,000 (100 per mint, 6000 total mints)
- LP Reserve: 400,000 (pre-minted to deployer)
- Cooldown: 15 minutes per wallet
How It Works
- Agent calls the signer service with its wallet address
- Service checks cooldown, generates nonce + deadline, signs the mint authorization
- Agent submits the signature to the on-chain contract
- Contract verifies signature, enforces cooldown, mints 100 tokens
Mint
Run the mint script with the agent's wallet private key:
node scripts/mint.js \x3CPRIVATE_KEY> \x3CSERVER_URL>
PRIVATE_KEY: Agent's BSC wallet private key (needs small BNB for gas)SERVER_URL: Signer service URL (default: http://43.160.201.224:3456)
The script handles everything: request signature → send tx → confirm → report balance.
Signer Service
The signer service must be running for mints to work. It validates requests and signs mint authorizations.
SIGNER_PRIVATE_KEY=0x... CONTRACT_ADDRESS=0x... node scripts/server.js
Endpoints:
POST /api/mint-signature— Request a mint signature. Body:{"wallet_address": "0x..."}GET /api/status— Check service status
Contract
Source: references/FourClaw.sol
Key functions:
mint(nonce, deadline, signature)— Mint 100 tokens (requires valid signer signature)lastMintTime(address)— Check when an address last mintedmintRemaining()— How many public mint tokens are leftsetSigner(address)— Owner can update the signer address
Setup for Deployer
- Deploy
FourClaw.solto BSC with constructor args:(signerAddress, lpWalletAddress) - Set env vars and start the signer service
- Share the skill — any OpenClaw agent with a BSC wallet can mint
Error Handling
- Cooldown not elapsed: Wait 15 minutes between mints
- Public mint exhausted: All 600,000 tokens have been minted
- Signature expired: Signature is valid for 5 minutes, retry
- Invalid signature: Signer service may be misconfigured
- Insufficient BNB: Agent wallet needs BNB for gas (~0.001 BNB per mint)
Usage Guidance
This skill implements the advertised minting flow, but it has two practical risks you should consider before installing or running it:
- Default remote signer: The mint script defaults to http://43.160.201.224:3456. If you run the mint command without specifying a different SERVER_URL, your agent will contact that external server and reveal its wallet address and mint activity. Only use a remote signer you trust. Prefer running your own signer service (scripts/server.js) under your control.
- Undeclared sensitive env vars: The signer requires SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS but the skill metadata doesn't declare these. If you deploy the signer, keep SIGNER_PRIVATE_KEY secret; anyone with it can sign mint authorizations.
Practical recommendations:
- Do not pass your private key to any third party. The mint.js script accepts your agent wallet private key as a CLI argument; run it locally and do not share that key.
- If you want to use this skill, host the signer yourself: set SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS, run server.js on infrastructure you control, and call mint.js with SERVER_URL pointing to your signer.
- Verify the contract address and contract source independently (the SKILL.md lists a contract, but remote signers can return arbitrary contract addresses). Ensure the signer is configured to sign only for the intended contract and chain.
- If you cannot host your own signer or fully trust the default remote IP, do not use this skill. The behavior (external signer, undeclared secrets) is inconsistent with safe defaults.
Capability Analysis
Type: OpenClaw Skill
Name: 4claw-mint
Version: 1.0.0
The skill is classified as suspicious due to a critical trust vulnerability in `scripts/mint.js`. While the `SKILL.md` specifies a contract address, the `mint.js` script retrieves the target contract address from an external, hardcoded server (`http://43.160.201.224:3456`). This allows the operator of that server to dictate which smart contract the agent interacts with using its private key, potentially redirecting funds or performing unauthorized actions on an attacker-controlled contract. This design flaw creates a high risk of exploitation, even though the script itself doesn't exhibit explicit malicious intent like data exfiltration or backdoor installation.
Capability Assessment
Purpose & Capability
The skill's name and code (mint.js and server.js) match the stated purpose of minting 4Claw tokens on BSC. However the SKILL metadata declares no required credentials or secrets even though the included signer server requires a SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS. Also the mint script defaults to a hard-coded remote SERVER_URL (http://43.160.201.224:3456) which is not justified by the metadata or documentation.
Instruction Scope
The runtime instructions ask agents to run node scripts/mint.js with the agent's wallet private key (reasonable for sending the transaction locally). But the mint script will POST the agent wallet address to a default external IP-based signer service (43.160.201.224). That server will learn which agent wallets are minting and can return arbitrary contract info/signatures. The SKILL.md does note you can run your own signer, but the default points to an external server the user likely does not control — a privacy and operational risk.
Install Mechanism
There is no install specification (instruction-only plus included scripts). Nothing is automatically downloaded or installed by the registry; the code is provided in the skill bundle. This is lower risk than arbitrary remote installs.
Credentials
The skill metadata does not declare any required environment variables or primary credential, yet scripts/server.js clearly requires SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS to run. That mismatch is a red flag: sensitive credentials are necessary to operate the signer but are not advertised in the skill manifest. Also the default SERVER_URL points to a third-party IP — the skill could be used with that remote signer, which would collect agent wallet addresses and mint timing (privacy leak).
Persistence & Privilege
The skill does not request always:true, does not create persistent system-wide configuration, and does not alter other skills. It runs as-invoked and requires explicit execution by agents.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install 4claw-mint - After installation, invoke the skill by name or use
/4claw-mint - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: mint 4Claw tokens on BSC via OpenClaw agents
Metadata
Frequently Asked Questions
What is 4Claw Mint?
Mint 4Claw tokens on BSC through OpenClaw agents. Each agent can mint 100 tokens every 15 minutes. Use when the user wants to mint 4Claw tokens, check mint s... It is an AI Agent Skill for Claude Code / OpenClaw, with 479 downloads so far.
How do I install 4Claw Mint?
Run "/install 4claw-mint" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 4Claw Mint free?
Yes, 4Claw Mint is completely free (open-source). You can download, install and use it at no cost.
Which platforms does 4Claw Mint support?
4Claw Mint is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 4Claw Mint?
It is built and maintained by Xiaoyu (@xiaoyu022025); the current version is v1.0.0.
More Skills