NFT Skill - Autonomous AI Artist Agent

Autonomous AI Artist Agent for generating, evolving, minting, listing, and promoting NFT art on the Base blockchain. Use when the user wants to create AI art, mint ERC-721 NFTs, list on marketplace, monitor on-chain sales, trigger artistic evolution, or announce drops on X/Twitter.

What to check before installing/use: - Metadata mismatch: the registry entry claims no env vars / no primary credential, but SKILL.md and the source require many secrets (BASE_PRIVATE_KEY, Pinata keys, LLM/image provider keys, X/Twitter keys). Do not trust the registry summary — review SKILL.md and README instead. - Private key risk: the skill can sign on‑chain transactions. Use a dedicated wallet with minimal funds (testnet or a small mainnet wallet) and prefer PRIVATE_KEY_FILE pointing to a file with restricted permissions rather than pasting a main private key into .env. - Autonomous actions: the skill is designed to autonomously mint/list and post to X. If you plan to let an agent invoke this skill autonomously, restrict credentials and monitor activity closely (or disable autonomous invocation until you audit the code). - Installation: the install runs npm install/build from the skill directory and will install third‑party npm packages — review package.json and package-lock.json for any unexpected dependencies. The install metadata contains a minor error claiming it 'creates binaries: node' — node should already be present on the host. - Verify source: the SKILL.md references a GitHub homepage (https://github.com/Numba1ne/nft-skill) but the registry/source fields you were given say 'unknown' / 'none'. Try to find the canonical repository and inspect commit history or a verified release. If you cannot find a trustworthy upstream, treat the package as higher risk. - Test on testnet first: deploy and run the skill on Base Sepolia (or a local chain) and use throwaway API keys to confirm behavior before supplying production keys. - Principle of least privilege: only provide the environment variables actually needed for the operations you want (e.g., omit X_* keys if you won't use tweet feature), and rotate any keys provided to the skill after testing. If you want, I can: - Highlight exact lines in the source that read/write the private key, PINATA, or social APIs. - Produce a minimal .env example and a recommended low-permission test wallet configuration. - Check package.json/package-lock.json for any uncommon/native modules to audit further.

Type: OpenClaw Skill Name: nft-skill Version: 1.0.0 The skill is classified as suspicious due to its extensive requirement for highly sensitive credentials, including a blockchain private key (`BASE_PRIVATE_KEY`) and numerous API keys for IPFS (`PINATA_API_KEY`, `PINATA_SECRET`), LLM providers (`OPENROUTER_API_KEY`, `GROQ_API_KEY`, `OLLAMA_BASE_URL`), AI image generation (`STABILITY_API_KEY`, `OPENAI_API_KEY`), and social media (`X_CONSUMER_KEY`, `X_CONSUMER_SECRET`, `X_ACCESS_TOKEN`, `X_ACCESS_SECRET`). While these permissions are plausibly needed for the stated purpose of an autonomous NFT artist agent (minting, listing, promoting, and evolving art), the sheer volume and sensitivity of these credentials, combined with the agent's autonomous nature, present a significant attack surface for potential misuse if the agent were compromised or subtly prompted to deviate from its intended purpose. No direct evidence of intentional malicious behavior or prompt injection was found in `SKILL.md` or the code, but the broad permissions elevate the risk beyond benign.