← Back to Skills Marketplace
951
Downloads
6
Stars
0
Active Installs
21
Versions
Install in OpenClaw
/install openfunderse-strategy
Description
Participant MoltBot for allocation proposal, validation, and submission
Usage Guidance
This pack appears to do what it says (a participant bot) but installs and runtime actions make persistent, high-impact changes. Before installing: (1) review the npm package @wiimdy/[email protected] source and maintainer history; (2) never use treasury/admin keys — create a dedicated wallet and keep keys offline where feasible; (3) prefer running install with --no-sync-openclaw-env and --no-restart-openclaw-gateway to avoid automatic global mutations, and manually inspect any files written to ~/.openclaw; (4) ensure PARTICIPANT_TRUSTED_RELAYER_HOSTS and PARTICIPANT_ALLOW_HTTP_RELAYER are set conservatively to avoid talking to untrusted relayers; (5) back up and audit ~/.openclaw/openclaw.json before and after changes; (6) if you must automate submission, enable PARTICIPANT_REQUIRE_EXPLICIT_SUBMIT or similar safeguards; and (7) consider testing in an isolated VM or non-production environment first. If you want a firmer permit/deny decision, request the npm package source (or a signed release) and the exact install commands the operator intends to run so those artifacts can be examined.
Capability Analysis
Type: OpenClaw Skill
Name: openfunderse-strategy
Version: 2.0.2
The skill is classified as suspicious due to its high-risk capabilities and reliance on external, unreviewed code. It requires access to a sensitive `PARTICIPANT_PRIVATE_KEY`, modifies global OpenClaw configuration (`~/.openclaw/openclaw.json`), restarts the OpenClaw gateway, and performs network communication to an external `RELAYER_URL` (with an option to disable HTTPS), as detailed in `SKILL.md`. The installation process relies on `npx @wiimdy/[email protected]`, whose source code is not provided, introducing a supply chain risk. While the `SKILL.md` includes explicit security warnings and safety gates, these capabilities present a significant attack surface if the underlying package is malicious or if the AI agent is compromised via prompt injection.
Capability Assessment
Purpose & Capability
Name/description (Participant MoltBot for allocation proposal/validation/submission) align with the declared requirements: node/npm, PARTICIPANT_PRIVATE_KEY, RELAYER_URL, RPC_URL, CHAIN_ID, PARTICIPANT_ADDRESS and submission flags — these are expected for a blockchain relayer/participant agent.
Instruction Scope
The SKILL.md instructs the agent to run npx commands, generate or rotate wallet keys, write sensitive values into ~/.openclaw/workspace/.env.participant and ~/.openclaw/openclaw.json, and recommends restarting the OpenClaw gateway. Those actions read/write global runtime state and persistent files beyond the skill's local scope and can affect other skills and the runtime.
Install Mechanism
No install spec in the package registry, but SKILL.md instructs using npx @wiimdy/[email protected] which fetches and executes code from npm at install time. This is a moderate-risk pattern — expected for JS-based tooling but requires reviewing the npm package source and its publish history before running in production.
Credentials
Requested env vars are relevant to the bot's function and the primary credential (PARTICIPANT_PRIVATE_KEY) is expected. However the skill both encourages storing and rotating private keys on disk and syncs sensitive env values into a global openclaw.json; submission-related flags and 'ALLOW_HTTP_RELAYER'/'TRUSTED_RELAYER_HOSTS' increase attack surface if set permissively.
Persistence & Privilege
While always:false, install and bot-init explicitly mutate global OpenClaw runtime state (sync into ~/.openclaw/openclaw.json, write wallet backups to ~/.openclaw/workspace/openfunderse/wallets, run openclaw gateway restart). That gives the skill lifecycle the ability to persist secrets to disk and impact other skills or gateway behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openfunderse-strategy - After installation, invoke the skill by name or use
/openfunderse-strategy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.2
Improve Security strategy skill release
v2.0.1
Improve Security strategy skill release
v2.0.0
Improve Security strategy skill release
v1.2.0
Improve Security strategy skill release
v1.1.2
Improve Security strategy skill release
v0.1.2
Split skill pack, aligned skill folder/name, improved install defaults and bot-init safety.
v1.1.1
Enable model invocation for skill discoverability while keeping explicit submit safety gates in policy guidance.
v1.1.0
Re-register strategy skill after registry missing-slug issue.
v1.0.12
Add explicit ClawHub install command to Quick Start: npx clawhub@latest install openfunderse-strategy.
v1.0.11
Retry publish to refresh registry index after metadata null-state; same quick-start command update retained.
v1.0.10
Update quick-start to single command: npm init -y && npm i @wiimdy/[email protected] --ignore-scripts.
v1.0.9
Simplify ClawHub onboarding: pinned runtime install + one-line env scaffold copy from installed runtime package; keep security-first wording without npx @latest guidance.
v1.0.8
Remove npx @latest install guidance; enforce pinned runtime install command, add source verification commands and official npm/repo links.
v1.0.7
Add explicit production security guidance: runtime version pinning, source review note, least-privilege key handling/rotation, and stronger auto-submit caution.
v1.0.6
Add prominent ClawHub quick-start section with required runtime install: npm i @wiimdy/openfunderse-agents.
v1.0.5
Document required runtime installation, clarify strategy runtime dependencies, and align env declaration with submit-gate and AA execution settings.
v1.0.4
No changes detected for this version.
- No file or documentation updates were made in version 1.0.4.
v1.0.3
Align skill metadata with runtime safety gates; declare submit-gate/trusted-relayer envs; disable autonomous invocation; remove legacy private-key fallback wording and unnecessary binary requirements.
v1.0.2
Hardened submission safety gates: explicit submit required by default, trusted RELAYER_URL host validation, and credential metadata clarification.
v1.0.1
Improve Security strategy skill release
Metadata
Frequently Asked Questions
What is OpenFunderse Strategy?
Participant MoltBot for allocation proposal, validation, and submission. It is an AI Agent Skill for Claude Code / OpenClaw, with 951 downloads so far.
How do I install OpenFunderse Strategy?
Run "/install openfunderse-strategy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenFunderse Strategy free?
Yes, OpenFunderse Strategy is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenFunderse Strategy support?
OpenFunderse Strategy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenFunderse Strategy?
It is built and maintained by wiimdy (@wiimdy); the current version is v2.0.2.
More Skills