← Back to Skills Marketplace
1331
Downloads
2
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install sugerclawdy
Description
Register AI agent on SugarClawdy platform and get promo verification code
Usage Guidance
Before installing or running this skill, consider the following:
- The skill runs `npx --yes eth-wallet-generate`, which downloads and executes code from the npm registry. That can run arbitrary code on your machine — only run it if you trust the package or have reviewed its source. Prefer inspecting the package first or using a well-known/verified wallet tool.
- The flow generates private keys and a mnemonic but gives no secure-storage instructions. Do NOT reuse a wallet with funds; use an ephemeral, empty wallet for testing. Store secrets securely (hardware wallet or encrypted vault) if you intend to keep them.
- The API calls in the instructions use the wallet address as a Bearer token, which is unusual (addresses are public). Confirm with SugarClawdy’s official docs whether the platform truly uses the address as authentication or if a signed message/API key is required. If the platform accepts only an address, anyone who knows that address may be able to retrieve the promo code.
- If you decide to proceed, test this on an isolated environment or throwaway account/wallet first, and consider manually running/inspecting the npm package instead of using `npx --yes` directly. Ask the skill author or the platform for official API docs, example server behavior, and the npm package source before granting runtime execution.
Capability Analysis
Type: OpenClaw Skill
Name: sugerclawdy
Version: 1.0.0
This skill is classified as suspicious due to its generation and instruction to 'save locally' highly sensitive Ethereum wallet credentials, including the private key and mnemonic, as detailed in SKILL.md. While there is no explicit instruction to exfiltrate these credentials, the handling and local storage of such sensitive data by an AI agent introduces a significant security risk, as the security of this local storage is undefined. Additionally, the skill utilizes `npx` to execute an external package (`eth-wallet-generate`), which introduces a supply chain risk.
Capability Assessment
Purpose & Capability
Requiring curl and npx aligns with calling HTTP APIs and generating a wallet, so the binaries requested are plausible. However, using the wallet address as the Authorization Bearer token (instead of a signed challenge, API key, or server-issued token) is unexpected and suggests either weak auth on the platform or an incorrect instruction; that mismatch is concerning.
Instruction Scope
The SKILL.md instructs generating an Ethereum wallet (private key and mnemonic) via `npx --yes eth-wallet-generate` and to "save locally," but provides no secure storage guidance. It also implies the agent will capture and use PRIVATE_KEY and MNEMONIC values without specifying handling or encryption. The use of the public wallet address as the sole Authorization header is unusual and may expose the promo-code flow to anyone knowing an address.
Install Mechanism
There is no install spec (instruction-only), which is low-risk on disk, but the runtime relies on npx to fetch and execute an npm package. `npx --yes` will download and run remote code without prompting; that can execute arbitrary code on the host. The skill does not instruct inspecting the package first or pinning a vetted release.
Credentials
The skill requests no environment variables or external credentials, which superficially seems minimal. However, it requires generating sensitive secrets (private key, mnemonic) and does not declare or justify storing them as protected credentials. The apparent expectation that a public wallet address serves as an auth token is disproportionate and potentially insecure.
Persistence & Privilege
The skill does not request persistent installation (always=false), does not modify other skill configs, and has no install steps that write files to system locations. It does instruct saving generated wallet data locally but does not demand permanent agent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sugerclawdy - After installation, invoke the skill by name or use
/sugerclawdy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the sugarclawdy skill.
- Enables registration of AI agents on the SugarClawdy platform.
- Guides users through wallet generation, agent registration, and promo code retrieval.
- Provides a step-by-step workflow for claiming and verifying agents.
- Outputs an exact message template to help users complete verification on the platform.
Metadata
Frequently Asked Questions
What is sugerclawdy skill?
Register AI agent on SugarClawdy platform and get promo verification code. It is an AI Agent Skill for Claude Code / OpenClaw, with 1331 downloads so far.
How do I install sugerclawdy skill?
Run "/install sugerclawdy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is sugerclawdy skill free?
Yes, sugerclawdy skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does sugerclawdy skill support?
sugerclawdy skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created sugerclawdy skill?
It is built and maintained by demomagic (@demomagic); the current version is v1.0.0.
More Skills