← 返回 Skills 市场
479
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install 4claw-mint
功能描述
Mint 4Claw tokens on BSC through OpenClaw agents. Each agent can mint 100 tokens every 15 minutes. Use when the user wants to mint 4Claw tokens, check mint s...
使用说明 (SKILL.md)
4Claw Mint
Mint 4Claw (symbol: 4) tokens on BSC. Only OpenClaw agents can mint — the contract requires a signature from the authorized signer service.
Token Info
- Name: 4Claw, Symbol: 4
- Chain: BSC (Chain ID: 56)
- Contract:
0x5F4E6Ee459fA71C226131BCeD5694aAab3b481dB - Total Supply: 1,000,000
- Public Mint: 600,000 (100 per mint, 6000 total mints)
- LP Reserve: 400,000 (pre-minted to deployer)
- Cooldown: 15 minutes per wallet
How It Works
- Agent calls the signer service with its wallet address
- Service checks cooldown, generates nonce + deadline, signs the mint authorization
- Agent submits the signature to the on-chain contract
- Contract verifies signature, enforces cooldown, mints 100 tokens
Mint
Run the mint script with the agent's wallet private key:
node scripts/mint.js \x3CPRIVATE_KEY> \x3CSERVER_URL>
PRIVATE_KEY: Agent's BSC wallet private key (needs small BNB for gas)SERVER_URL: Signer service URL (default: http://43.160.201.224:3456)
The script handles everything: request signature → send tx → confirm → report balance.
Signer Service
The signer service must be running for mints to work. It validates requests and signs mint authorizations.
SIGNER_PRIVATE_KEY=0x... CONTRACT_ADDRESS=0x... node scripts/server.js
Endpoints:
POST /api/mint-signature— Request a mint signature. Body:{"wallet_address": "0x..."}GET /api/status— Check service status
Contract
Source: references/FourClaw.sol
Key functions:
mint(nonce, deadline, signature)— Mint 100 tokens (requires valid signer signature)lastMintTime(address)— Check when an address last mintedmintRemaining()— How many public mint tokens are leftsetSigner(address)— Owner can update the signer address
Setup for Deployer
- Deploy
FourClaw.solto BSC with constructor args:(signerAddress, lpWalletAddress) - Set env vars and start the signer service
- Share the skill — any OpenClaw agent with a BSC wallet can mint
Error Handling
- Cooldown not elapsed: Wait 15 minutes between mints
- Public mint exhausted: All 600,000 tokens have been minted
- Signature expired: Signature is valid for 5 minutes, retry
- Invalid signature: Signer service may be misconfigured
- Insufficient BNB: Agent wallet needs BNB for gas (~0.001 BNB per mint)
安全使用建议
This skill implements the advertised minting flow, but it has two practical risks you should consider before installing or running it:
- Default remote signer: The mint script defaults to http://43.160.201.224:3456. If you run the mint command without specifying a different SERVER_URL, your agent will contact that external server and reveal its wallet address and mint activity. Only use a remote signer you trust. Prefer running your own signer service (scripts/server.js) under your control.
- Undeclared sensitive env vars: The signer requires SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS but the skill metadata doesn't declare these. If you deploy the signer, keep SIGNER_PRIVATE_KEY secret; anyone with it can sign mint authorizations.
Practical recommendations:
- Do not pass your private key to any third party. The mint.js script accepts your agent wallet private key as a CLI argument; run it locally and do not share that key.
- If you want to use this skill, host the signer yourself: set SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS, run server.js on infrastructure you control, and call mint.js with SERVER_URL pointing to your signer.
- Verify the contract address and contract source independently (the SKILL.md lists a contract, but remote signers can return arbitrary contract addresses). Ensure the signer is configured to sign only for the intended contract and chain.
- If you cannot host your own signer or fully trust the default remote IP, do not use this skill. The behavior (external signer, undeclared secrets) is inconsistent with safe defaults.
功能分析
Type: OpenClaw Skill
Name: 4claw-mint
Version: 1.0.0
The skill is classified as suspicious due to a critical trust vulnerability in `scripts/mint.js`. While the `SKILL.md` specifies a contract address, the `mint.js` script retrieves the target contract address from an external, hardcoded server (`http://43.160.201.224:3456`). This allows the operator of that server to dictate which smart contract the agent interacts with using its private key, potentially redirecting funds or performing unauthorized actions on an attacker-controlled contract. This design flaw creates a high risk of exploitation, even though the script itself doesn't exhibit explicit malicious intent like data exfiltration or backdoor installation.
能力评估
Purpose & Capability
The skill's name and code (mint.js and server.js) match the stated purpose of minting 4Claw tokens on BSC. However the SKILL metadata declares no required credentials or secrets even though the included signer server requires a SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS. Also the mint script defaults to a hard-coded remote SERVER_URL (http://43.160.201.224:3456) which is not justified by the metadata or documentation.
Instruction Scope
The runtime instructions ask agents to run node scripts/mint.js with the agent's wallet private key (reasonable for sending the transaction locally). But the mint script will POST the agent wallet address to a default external IP-based signer service (43.160.201.224). That server will learn which agent wallets are minting and can return arbitrary contract info/signatures. The SKILL.md does note you can run your own signer, but the default points to an external server the user likely does not control — a privacy and operational risk.
Install Mechanism
There is no install specification (instruction-only plus included scripts). Nothing is automatically downloaded or installed by the registry; the code is provided in the skill bundle. This is lower risk than arbitrary remote installs.
Credentials
The skill metadata does not declare any required environment variables or primary credential, yet scripts/server.js clearly requires SIGNER_PRIVATE_KEY and CONTRACT_ADDRESS to run. That mismatch is a red flag: sensitive credentials are necessary to operate the signer but are not advertised in the skill manifest. Also the default SERVER_URL points to a third-party IP — the skill could be used with that remote signer, which would collect agent wallet addresses and mint timing (privacy leak).
Persistence & Privilege
The skill does not request always:true, does not create persistent system-wide configuration, and does not alter other skills. It runs as-invoked and requires explicit execution by agents.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install 4claw-mint - 安装完成后,直接呼叫该 Skill 的名称或使用
/4claw-mint触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: mint 4Claw tokens on BSC via OpenClaw agents
元数据
常见问题
4Claw Mint 是什么?
Mint 4Claw tokens on BSC through OpenClaw agents. Each agent can mint 100 tokens every 15 minutes. Use when the user wants to mint 4Claw tokens, check mint s... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 479 次。
如何安装 4Claw Mint?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install 4claw-mint」即可一键安装,无需额外配置。
4Claw Mint 是免费的吗?
是的,4Claw Mint 完全免费(开源免费),可自由下载、安装和使用。
4Claw Mint 支持哪些平台?
4Claw Mint 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 4Claw Mint?
由 Xiaoyu(@xiaoyu022025)开发并维护,当前版本 v1.0.0。
推荐 Skills