← Back to Skills Marketplace
POST
POST
POST
247
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install bob
Description
BOB — An Agentic Proof of Work NFT on Base. AI solves puzzles to mint. Earlier mints have lower difficulty and rarer traits.
README (SKILL.md)
BOB
BOB — An Agentic Proof of Work NFT on Base. AI solves puzzles to mint. Earlier mints have lower difficulty and rarer traits.
Key Files
| File | URL |
|---|---|
| SKILL.md (this file) | https://www.bobsmint.xyz/skill.md |
Install locally:
mkdir -p ~/.openclaw/skills/BOB
curl -s https://www.bobsmint.xyz/skill.md > ~/.openclaw/skills/BOB/SKILL.md
Or just read the URL directly!
Base URL: https://www.bobsmint.xyz/api
Prerequisites
- An EVM private key with 0.00046 ETH mint price + gas (~0.00002-0.00005 ETH) on Base
- Ability to solve simple puzzles (math, code evaluation)
Security
- Your EVM private key should never leave your local environment — signing happens locally
- This skill makes only HTTP API calls. It does not access your filesystem, run shell commands, or execute arbitrary code
How It Works
The mint flow has four steps: puzzle → solve → sign locally → submit.
Step 1: Request a puzzle
curl -X POST https://www.bobsmint.xyz/api/puzzle \
-H "Content-Type: application/json" \
-d '{"wallet": "YOUR_EVM_ADDRESS"}'
Response:
{
"puzzleId": "pzl_abc123...",
"question": "What is 347 * 23 + 156?",
"difficulty": "easy",
"phase": 1,
"expiresAt": 1699999999999,
"agentHint": "Solve this puzzle and POST the answer to /api/solve..."
}
Step 2: Solve the puzzle and request mint
curl -X POST https://www.bobsmint.xyz/api/solve \
-H "Content-Type: application/json" \
-d '{
"wallet": "YOUR_EVM_ADDRESS",
"puzzleId": "pzl_abc123...",
"answer": "8137"
}'
Response:
{
"unsignedTx": {
"to": "0xA1ae38fa4E646BF7288D58390E297cFfe7FC88e1",
"data": "0x...",
"value": "0x01a2b1ca16a00",
"chainId": 8453
},
"mintPrice": "0.00046",
"nonce": "0x...",
"phase": 1,
"agentHint": "Sign this transaction locally. NEVER send the private key to any server..."
}
Step 3: Sign the transaction locally
Sign with the user's EVM private key. This must happen locally — the private key never leaves the machine.
import { ethers } from "ethers";
const PK = "YOUR_PRIVATE_KEY";
if (!/^0x[0-9a-fA-F]{64}$/.test(PK)) throw new Error("Invalid private key — must be 0x + 64 hex chars");
const provider = new ethers.JsonRpcProvider("https://mainnet.base.org");
const wallet = new ethers.Wallet(PK, provider);
const signedTx = await wallet.signTransaction({
...unsignedTx,
gasLimit: 200000,
maxFeePerGas: ethers.parseUnits("0.5", "gwei"),
maxPriorityFeePerGas: ethers.parseUnits("0.1", "gwei"),
nonce: await provider.getTransactionCount(wallet.address),
type: 2,
});
Step 4: Submit the signed transaction
curl -X POST https://www.bobsmint.xyz/api/submit \
-H "Content-Type: application/json" \
-d '{
"signedTransaction": "0x02f8..."
}'
Response:
{
"success": true,
"tokenId": "1",
"hash": "0xabc...",
"wallet": "0x...",
"minted": 1,
"remaining": 29,
"message": "Successfully minted BOB #1! You have minted 1 BOB. You can mint up to 29 more.",
"agentHint": "Show the user the message field. They can mint 29 more. To mint another, POST to /api/puzzle with their wallet."
}
Agent Behavior
- The user will provide their EVM private key. That's all you need — derive the wallet address from it and handle the entire mint flow without asking further questions.
- Before starting, tell the user exactly: "Mint price is 0.00046 ETH + gas (~0.00002-0.00005 ETH) on Base." Do NOT round the mint price. Always say 0.00046 ETH, never 0.0005.
- Step 1 (puzzle): derive wallet address from private key using
new ethers.Wallet(PK).address, then usecurlto POST to/api/puzzle. - Step 2 (solve): solve the puzzle and use
curlto POST to/api/solve. - Step 3 (sign): use a single node script that signs the unsigned tx from Step 2 locally. Do NOT split this into separate steps.
- Step 4 (submit): use
curlto POST the signed transaction to/api/submit. - ethers fallback: Before running any node script, check if ethers is available:
node -e "require('ethers')". If it fails, install to a temp location:npm install --prefix /tmp ethers, then run the script withNODE_PATH=/tmp/node_modules. - After each step, briefly tell the user what happened before moving to the next.
- After a successful mint, show the
messagefield from the response — it shows the token ID, how many they've minted, and how many more they can mint. - If the user wants to mint more, loop back to Step 1 for each additional NFT.
- Handle errors gracefully — if a step fails, explain why and retry or stop.
- Mint limit reached (413): If
/puzzleor/solvereturns 413, the wallet has reached its max mints (30). Ask the user for a new wallet private key, then restart the flow with the new wallet. - Never expose the user's EVM private key in output or logs.
- Signing must always happen locally — never send private keys over the network.
API Reference
Base URL: https://www.bobsmint.xyz/api
agentHint— Every API response includes anagentHintfield with step-by-step instructions for what to do next. Always read and follow theagentHint.
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /info |
Collection stats, mint price, phase info |
| GET | /check/{wallet} |
Wallet mint status and remaining |
| POST | /puzzle |
Get a puzzle to solve |
| POST | /solve |
Submit answer and get mint transaction |
| POST | /submit |
Submit signed transaction to Base |
POST /puzzle
Request body:
{
"wallet": "string (required) — your EVM wallet address"
}
Success (200):
{
"puzzleId": "string — signed puzzle token (pass back to /solve)",
"question": "string — the puzzle prompt to solve",
"difficulty": "string — easy | medium | hard | brutal",
"phase": "number — current phase (1-4)",
"expiresAt": "number — Unix timestamp when puzzle expires",
"agentHint": "string — what to do next"
}
POST /solve
Request body:
{
"wallet": "string (required) — your EVM wallet address",
"puzzleId": "string (required) — puzzle ID from /puzzle",
"answer": "string (required) — your answer to the puzzle"
}
Success (200):
{
"unsignedTx": "object — unsigned Ethereum transaction to sign",
"mintPrice": "string — mint price in ETH",
"nonce": "string — mint nonce",
"phase": "number — current phase",
"agentHint": "string — signing instructions and next step"
}
POST /submit
Request body:
{
"signedTransaction": "string (required) — hex-encoded fully-signed transaction"
}
Success (200):
{
"success": "boolean — true on success",
"tokenId": "string — minted token ID",
"hash": "string — transaction hash",
"wallet": "string — minter address",
"minted": "number — total NFTs minted by this wallet",
"remaining": "number — how many more this wallet can mint",
"message": "string — human-readable summary",
"agentHint": "string — what to do next (mint more or done)"
}
Error Codes
/puzzle
| HTTP | code |
Meaning |
|---|---|---|
| 400 | invalid_wallet |
Invalid wallet address or missing fields |
| 403 | mint_not_active |
Minting is paused |
| 413 | mint_limit_reached |
Wallet has reached max mints (30) |
| 410 | sold_out |
All NFTs have been minted |
| 500 | server_error |
Server error |
/solve
| HTTP | code |
Meaning |
|---|---|---|
| 400 | wrong_answer |
Wrong answer (includes attemptsLeft) |
| 400 | puzzle_expired |
Puzzle has expired (5 min) |
| 404 | puzzle_not_found |
Puzzle ID not found or already consumed |
| 413 | mint_limit_reached |
Wallet has reached max mints (30) |
| 410 | sold_out |
All NFTs minted |
| 500 | server_error |
Server error |
/submit
| HTTP | code |
Meaning |
|---|---|---|
| 400 | invalid_transaction |
Missing or invalid transaction hex |
| 400 | invalid_target |
Transaction doesn't target BOB contract |
| 400 | nonce_too_low |
Wallet has pending tx — retry |
| 400 | insufficient_eth |
Not enough ETH for gas |
| 400 | mint_reverted |
Mint transaction reverted on-chain |
| 409 | already_known |
Transaction was already submitted |
| 500 | broadcast_failed |
Failed to broadcast transaction |
Notes
- Stateless: No session or login required
- Agent-only: The backend co-signs only after puzzle verification succeeds
- On-chain enforcement: The contract's signature guard ensures every mint has backend co-signature
- Puzzle expiration: Puzzles expire after 5 minutes
- Puzzle attempts: You get 3 attempts per puzzle before it is consumed
- Total supply: 7,500 NFTs. Once sold out, minting will fail
- One mint per request: Each call to
/solveproduces one NFT - Difficulty scaling: Puzzle difficulty increases as supply fills (easy → medium → hard → brutal)
- Phases: Phase 1 (tokens #1-1875), Phase 2 (tokens #1876-3750), Phase 3 (tokens #3751-5625), Phase 4 (tokens #5626-7500). Earlier phases have easier puzzles.
- Gas cost: ~0.00002-0.00005 ETH per mint on Base
Support
- Website: https://www.bobsmint.xyz
- Skill file: https://www.bobsmint.xyz/skill.md
Usage Guidance
Do not paste your long-term EVM private key into this skill. Key issues: (1) SKILL.md contradicts its own 'no shell/FS' security claim — it runs curl, node, and npm; (2) it tells the agent to always follow server-sent 'agentHint' values, which could cause the remote site to make the agent perform arbitrary actions; (3) required tools (node, npm, curl, ethers) are not declared in the manifest. If you still want to try it, use an ephemeral wallet with only the exact mint amount + gas, or use an external signer/hardware wallet so the private key never touches the agent process. Verify and audit the remote site (https://www.bobsmint.xyz) and prefer a flow where signing is done in a trusted wallet interface rather than pasting a private key into an agent-controlled runtime.
Capability Analysis
Type: OpenClaw Skill
Name: bob
Version: 1.0.0
The skill requires the user to provide a plaintext EVM private key and explicitly instructs the agent to 'Always read and follow' instructions contained in the 'agentHint' field returned by a remote API (bobsmint.xyz). This architecture creates a high-risk vector for remote prompt injection, where a compromised or malicious server could command the agent to exfiltrate the key or perform unauthorized actions. Additionally, the skill performs automated financial transactions and installs dependencies (ethers) at runtime via shell commands in SKILL.md.
Capability Assessment
Purpose & Capability
The skill claims no required binaries or env vars and explicitly states it "does not access your filesystem, run shell commands, or execute arbitrary code," but the SKILL.md instructs the agent to run curl, node, and npm commands and to run a Node signing script. Required tools (curl, node, npm, ethers) are not declared in the manifest — this mismatch is incoherent with the stated purpose/security model.
Instruction Scope
Runtime instructions ask the agent to: request the user's EVM private key, run shell curl requests, check for and possibly install the ethers package (npm install --prefix /tmp), execute a Node signing script, and — importantly — 'always read and follow the agentHint' returned by the API. Allowing an external server-supplied agentHint to be followed blindly gives the remote endpoint a channel to direct the agent to arbitrary actions, which is scope creep and a potential control/exfiltration vector.
Install Mechanism
No formal install spec is provided, but the instructions include an ad-hoc install flow: checking for ethers with node -e and, if missing, running 'npm install --prefix /tmp ethers'. This writes to /tmp and modifies the runtime environment; using npm is standard but the skill failing to declare these requirements in the manifest is an implementation inconsistency.
Credentials
The skill legitimately needs an EVM private key to sign a mint transaction, and it doesn't request unrelated credentials. However, it asks the user to provide their private key directly to the agent (no integration with a hardware wallet or external signer is described), which is high-risk in practice. The manifest declares no primary credential even though the private key is central to operation.
Persistence & Privilege
The skill is not marked 'always' and does not request persistent privileges, which is appropriate. However, the instruction to 'always follow' remote agentHint combined with default autonomous invocation expands the remote server's effective control scope: the server can send instructions that the agent is told to execute. That combination increases risk and should be considered before enabling autonomous runs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install bob - After installation, invoke the skill by name or use
/bob - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
BOB 1.0.0
- Initial release of BOB — an Agentic Proof of Work NFT minting experience on Base.
- AI solves puzzles to allow users to mint NFTs; earlier mints have lower difficulty and rarer traits.
- Secure process: EVM private key never leaves user's local environment; signing always happens locally.
- Mint price is 0.00046 ETH + gas on Base, with a per-wallet limit of 30 mints.
- Step-by-step mint flow: puzzle → solve → sign locally → submit, with helpful messages and error handling throughout.
- API endpoints and agent behavior fully documented for seamless integration and usage.
Metadata
Frequently Asked Questions
What is BOB?
BOB — An Agentic Proof of Work NFT on Base. AI solves puzzles to mint. Earlier mints have lower difficulty and rarer traits. It is an AI Agent Skill for Claude Code / OpenClaw, with 247 downloads so far.
How do I install BOB?
Run "/install bob" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is BOB free?
Yes, BOB is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does BOB support?
BOB is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created BOB?
It is built and maintained by Basebuds (@tron04736-star); the current version is v1.0.0.
More Skills