← 返回 Skills 市场
tron04736-star

Public

作者 Basebuds · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
621
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install base-buds
功能描述
Mint a Base Bud NFT from the agent-only collection on Base mainnet. Requires solving a challenge, paying 1 USDC (x402), and an EVM wallet.
使用说明 (SKILL.md)

Base Buds Mint

Mint a Base Bud NFT from the agent-only collection on Base mainnet.

Key Files

File URL
SKILL.md (this file) https://budsbase.xyz/skill.md

Install locally:

mkdir -p ~/.openclaw/skills/base-buds
curl -s https://budsbase.xyz/skill.md > ~/.openclaw/skills/base-buds/SKILL.md

Or just read the URL directly!

Base URL: https://budsbase.xyz/api

Prerequisites

  • An EVM wallet keypair with at least 0.00025-0.000415 ETH for gas and 1 USDC on Base mainnet (chain ID 8453)
  • Ability to solve challenges (math, code, logic)

Security

  • Your EVM private key should never leave your local environment — signing happens locally
  • This skill makes only HTTP API calls. It does not access your filesystem, run shell commands, or execute arbitrary code

How It Works

The mint flow has four steps: challenge → prepare → complete (pay & get tx) → broadcast.

Step 1: Request a challenge

curl -X POST https://budsbase.xyz/api/challenge \
  -H "Content-Type: application/json" \
  -d '{"wallet": "YOUR_EVM_ADDRESS"}'

Response:

{
  "challengeId": "0xabc123...",
  "puzzle": "What is 347 * 23 + 156?",
  "expiresAt": 1699999999999
}

Step 2: Prepare & sign payment

A single node script that submits the challenge answer to /prepare, then signs the USDC payment locally. Your private key never leaves your machine.

Note: /prepare returns only payment data — no mint transaction. The mint transaction is only available after payment settles in Step 3.

import { ethers } from "ethers";

const PK = "YOUR_PRIVATE_KEY";
if (!/^0x[0-9a-fA-F]{64}$/.test(PK)) throw new Error("Invalid private key — must be 0x + 64 hex chars");
const wallet = new ethers.Wallet(PK);

// 2a. Submit challenge answer, get payment data
const res = await fetch("https://budsbase.xyz/api/prepare", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ wallet: wallet.address, challengeId: "CHALLENGE_ID", answer: "ANSWER" }),
});
const { prepareId, payment } = await res.json();

// 2b. Sign USDC payment (EIP-712)
const paymentSignature = await wallet.signTypedData(payment.domain, payment.types, payment.values);

console.log(JSON.stringify({ prepareId, paymentSignature }));

Step 3: Complete (settle payment & get unsigned mint tx)

Submit the payment signature. The backend settles 1 USDC on-chain first, then returns the unsigned mint transaction.

curl -X POST https://budsbase.xyz/api/complete \
  -H "Content-Type: application/json" \
  -d '{
    "prepareId": "0x\x3Cfrom_step_2>",
    "paymentSignature": "0x\x3Cfrom_step_2>"
  }'

Response:

{
  "success": true,
  "settleTxHash": "0x...",
  "transaction": { "to": "0x...", "data": "0x...", "chainId": 8453, "nonce": 5, "type": 2, "..." : "..." },
  "message": "Payment settled. Sign the transaction and POST to /api/broadcast."
}

Step 4: Sign & broadcast

Sign the mint transaction locally, then submit it.

import { ethers } from "ethers";

const PK = "YOUR_PRIVATE_KEY";
if (!/^0x[0-9a-fA-F]{64}$/.test(PK)) throw new Error("Invalid private key — must be 0x + 64 hex chars");
const wallet = new ethers.Wallet(PK);
const transaction = /* transaction object from Step 3 */;

const signedTransaction = await wallet.signTransaction(transaction);
console.log(JSON.stringify({ signedTransaction }));

curl -X POST https://budsbase.xyz/api/broadcast \
  -H "Content-Type: application/json" \
  -d '{"signedTransaction": "0x\x3Cfrom_above>"}'

Response:

{
  "success": true,
  "tokenId": 9,
  "minter": "0x...",
  "txHash": "0x...",
  "minted": 2,
  "remaining": 18,
  "message": "Successfully minted Base Bud #9! You have minted 2 Base Buds. You can mint up to 18 more."
}

Agent Behavior

  • The user will provide their wallet address and private key. That's all you need — handle the entire mint flow from there without asking further questions.
  • Step 1 (challenge): use curl.
  • Step 2 (prepare & sign payment): use a single node script that fetches /prepare and signs the USDC payment. Do NOT split this into separate curl + node steps.
    • ethers fallback: Before running the script, check if ethers is available: node -e "require('ethers')". If it fails, install to a temp location: npm install --prefix /tmp ethers, then run the script with NODE_PATH=/tmp/node_modules.
  • Step 3 (complete): use curl — this settles payment and returns the unsigned mint tx.
  • Step 4 (sign & broadcast): use a single node script that signs the transaction from Step 3, then use curl to POST the signed tx to /broadcast.
  • After each step, briefly tell the user what happened before moving to the next.
  • Handle errors gracefully — if a step fails, explain why and retry or stop.
  • Mint limit reached (409): If /challenge returns 409, ask the user for a new wallet address and private key, then restart the flow with the new wallet.
  • Never expose the user's private key in output or logs.
  • Signing must always happen locally — never send private keys over the network.

Error Codes

/challenge

Code Meaning
400 Invalid wallet address or missing fields
409 Wallet has reached the mint limit (20)
410 Collection is fully minted
500 Server error

/prepare

Code Meaning
400 Invalid wallet address, missing fields
403 Challenge answer is incorrect or expired
500 Server error

/complete

All errors include a code field you can switch on:

code HTTP Meaning
missing_prepare_id 400 No prepareId provided
missing_payment_signature 400 No paymentSignature provided
prepare_session_expired 400 Session not found or expired — call /prepare again
authorization_expired 400 USDC authorization validBefore has passed
authorization_not_yet_valid 400 USDC authorization validAfter is in the future
insufficient_usdc_balance 400 Wallet doesn't have enough USDC
payment_verification_failed 402 x402 facilitator rejected the payment signature
payment_settlement_failed 402 x402 facilitator couldn't settle the USDC transfer

/broadcast

code HTTP Meaning
missing_signed_transaction 400 No signedTransaction provided
nonce_too_low 400 Wallet has pending txs — call /complete again
insufficient_eth 400 Not enough ETH for gas
already_known 409 Transaction was already submitted
mint_reverted 400 Mint transaction reverted on-chain
broadcast_failed 500 Failed to broadcast transaction

Notes

  • Chain: Base mainnet (chain ID 8453)
  • x402 payment: 1 USDC per mint, paid via EIP-712 signed USDC TransferWithAuthorization
  • Two signing operations: EIP-712 for USDC payment (Step 2) + EIP-1559 for mint transaction (Step 4)
  • Challenge expiration: Challenges expire after 5 minutes
  • Total supply: 6,000 NFTs
  • Up to 20 mints per wallet
  • Gas cost: ~0.00025-0.000415 ETH per mint on Base
安全使用建议
This skill may be legitimate, but exercise caution. Key points to consider before installing or using it: - Do not paste your mainnet private key into any agent or prompt. Prefer an external signer (hardware wallet, MetaMask, or a dedicated signing service) or use an ephemeral wallet with only the minimum funds required. - The SKILL.md requires node and npm at runtime but the skill metadata does not declare them; ensure you are comfortable allowing the agent to run Node, execute scripts, and install an npm package to /tmp. - Verify the service domain (budsbase.xyz) and its TLS certificate before sending any signed data to it. Consider reviewing the API contract or contacting the project to confirm behavior. - If you must proceed, limit exposure: use a throwaway wallet with minimal ETH/USDC, and avoid reusing keys if the flow requests additional wallets after a 409 limit. Prefer signing transactions in a wallet you control rather than giving a plaintext private key to an agent. - If you need a definitive safety verdict, request additional information from the skill author: (1) declare required runtime binaries (node, npm) in metadata, (2) offer an external-signing option, and (3) provide an auditable reference implementation or source code repository for the scripts mentioned.
功能分析
Type: OpenClaw Skill Name: base-buds Version: 1.0.1 The skill instructs the agent to handle user-provided private keys for local signing operations, explicitly stating that keys will not leave the local environment. It also instructs the agent to execute `npm install` for the `ethers` library if not found, installing it to a temporary location. Furthermore, the agent is instructed to re-prompt the user for a new wallet address and private key if a mint limit is reached. While these actions are presented within a legitimate context for NFT minting, the capabilities to handle sensitive credentials, execute package installations, and dynamically request new credentials from the user (all detailed in `skill.md`) represent a significant attack surface and powerful agent capabilities that could be exploited if the skill were compromised or modified, classifying it as suspicious rather than benign.
能力评估
Purpose & Capability
The skill claims only HTTP-based minting with local signing, which fits an NFT mint flow. However, the SKILL.md explicitly requires running Node scripts and optionally running `npm install` to fetch the ethers library — yet the skill metadata declares no required binaries or install steps. That mismatch (no declared dependency on node/npm while instructions demand them) is incoherent.
Instruction Scope
Instructions ask the agent to obtain the user's EVM private key and wallet address, run two Node scripts (signing payment and signing the mint tx), call multiple API endpoints on budsbase.xyz, and install ethers into /tmp if missing. While local signing is consistent with the task, the agent is told to request raw private keys from the user and to run npm install in a temp location — both expand scope beyond simple API calls and require executing code on the host. The SKILL.md also tells the agent to restart the flow with a new private key if a mint limit is reached, which could encourage repeatedly requesting new sensitive keys.
Install Mechanism
There is no formal install spec (instruction-only), which is lowest-risk in principle. But the runtime directions include an on-demand `npm install --prefix /tmp ethers` fallback. Installing packages from npm at runtime is moderate risk: it's a traceable registry but can introduce arbitrary code execution. The use of /tmp and runtime installs should have been declared in the metadata; absence of that declaration is the primary concern, not the presence of npm itself.
Credentials
The skill requests the user's EVM private key (sensitive, effectively full access to the wallet). For signing transactions this is functionally necessary if the user cannot sign externally, but the skill offers no option to integrate with an external signer/hardware wallet or to use a read-only flow. The instruction to request additional private keys if mint limits are hit further increases risk. No environment variables or credentials are declared, but the skill will effectively require a high-sensitivity secret (private key) from the user — this should be made explicit in metadata and safer alternatives should be offered.
Persistence & Privilege
The skill does not request permanent presence (always:false) and has no install spec that writes to system config. Its runtime suggestion to install ethers into /tmp is transient and scoped to /tmp; it does not ask to modify other skills or system settings. No other elevated privileges are requested.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install base-buds
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /base-buds 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Update gas range to 0.00025-0.000415 ETH
v1.0.0
Initial release of Base Buds mint skill. - Enables minting of Base Bud NFT from an agent-only collection on Base mainnet. - Requires solving a challenge, payment of 1 USDC (via x402), and an EVM wallet with at least 0.001 ETH. - Guides users through a four-step mint process: challenge, prepare & sign payment, complete, and broadcast. - Emphasizes local signing—private keys never leave the user’s environment. - Supports up to 20 mints per wallet with a 6,000 NFT total supply.
元数据
Slug base-buds
版本 1.0.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Public 是什么?

Mint a Base Bud NFT from the agent-only collection on Base mainnet. Requires solving a challenge, paying 1 USDC (x402), and an EVM wallet. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 621 次。

如何安装 Public?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install base-buds」即可一键安装,无需额外配置。

Public 是免费的吗?

是的,Public 完全免费(开源免费),可自由下载、安装和使用。

Public 支持哪些平台?

Public 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Public?

由 Basebuds(@tron04736-star)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论