← 返回 Skills 市场
saltorioussig

POIDH Bounty Bot

作者 saltoriousSIG · GitHub ↗ · v1.0.3
cross-platform ⚠ suspicious
557
总下载
1
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install poidh
功能描述
Post bounties and evaluate/accept winning submissions on poidh (pics or it didn't happen) on Arbitrum, Base, or Degen Chain. Use this skill when the user wan...
安全使用建议
This skill will need your wallet private key and an RPC URL to operate — both are highly sensitive. Before installing or using it: (1) Confirm with the publisher why the registry metadata omitted the PRIVATE_KEY / RPC_URL / binaries listed in SKILL.md. (2) Prefer safer signing: use a dedicated ephemeral EOA with minimal funds, a remote signer, or hardware wallet rather than pasting your main private key. (3) If you must provide a key, avoid passing it on the command line (the examples do); that exposes it to process listings and logs. (4) Test with very small amounts on the target chain and verify the contract addresses and MIN_BOUNTY_AMOUNT on-chain yourself. (5) Be aware the agent will fetch and evaluate arbitrary external URIs attached to claims — those URIs can host malicious content or tracking. If you are uncomfortable with these risks or cannot use a delegated signer, do not install/enable this skill.
功能分析
Type: OpenClaw Skill Name: poidh Version: 1.0.3 This skill is classified as suspicious due to its inherent vulnerability surface related to fetching and evaluating arbitrary external content from untrusted sources. The skill instructs the AI agent to retrieve claim URIs (e.g., IPFS, Arweave, HTTP links) and then fetch and process the content (images, web pages, videos, documents) using Python's `requests.get()` and the agent's native vision/web fetch tools. A malicious claimant could provide a specially crafted URI pointing to content designed to exploit vulnerabilities in the agent's processing capabilities (e.g., image parsers, web renderers), potentially leading to remote code execution or data exfiltration from the agent's environment. While the skill's stated purpose is benign, this mechanism introduces a significant attack vector, making it a critical vulnerability rather than direct malicious intent within the skill's code itself. Additionally, the skill requires access to a `PRIVATE_KEY` for on-chain transactions, which, while necessary for its function, elevates the risk profile if the agent were to be compromised through the aforementioned content processing vulnerability.
能力评估
Purpose & Capability
The SKILL.md clearly requires a PRIVATE_KEY, RPC_URL, and POIDH_CHAIN and lists required binaries (cast, python3) to sign and send transactions and to fetch/evaluate claims. Those requirements are coherent with the stated purpose (creating and accepting Poidh bounties). However, the registry metadata reported earlier (no required env vars / no required binaries) contradicts SKILL.md. That mismatch is notable: either the registry metadata is incomplete or the instructions are out-of-date.
Instruction Scope
Runtime instructions direct the agent to use the user's EOA PRIVATE_KEY to sign transactions (cast send --private-key), query the chain, fetch claim URIs (which can be arbitrary external URLs/IPFS/tweets/pages), and evaluate content via vision. Fetching and evaluating arbitrary external content is expected for this task but expands the attack surface (malicious payloads, tracking URLs). Using the raw private key on the agent and passing it as a CLI argument increases exposure (process lists, logs).
Install Mechanism
This is an instruction-only skill with no install spec or code files, which minimizes file-system risk. SKILL.md does declare required binaries (cast, python3) but the registry claimed none — the inconsistency should be resolved. No downloads or external installers are present.
Credentials
Requesting a full PRIVATE_KEY and RPC_URL is functionally necessary to post/accept on-chain bounties, but it is a high-privilege secret. The skill does not propose safer alternatives (e.g., signing via a hardware wallet, remote signer, or delegated service). Passing the private key on the command line (as shown) can leak it via process listings or logs. The declared registry metadata failing to list these env vars is an additional red flag.
Persistence & Privilege
The skill is not marked always:true and has no install spec that writes persistent binaries or modifies other skills. Autonomous invocation is allowed (default) but is not, by itself, a new concern; combine that with the private key requirement and fetching external content for higher risk.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install poidh
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /poidh 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
poidh v1.0.3 - Added Degen Chain support (new contract address, explorer, and bounty minimums). - Updated description and instructions to cover Arbitrum, Base, and Degen. - Added chain-specific poidh.xyz URL and frontend bounty ID offset logic. - Updated command examples for returning frontend-ready URLs and IDs when posting bounties. - Improved clarity and accuracy of environment variable and chain selection documentation.
v1.0.2
poidh v1.0.2 - Added explicit documentation for minimum bounty and minimum contribution amounts per supported chain (Arbitrum, Base, Degen). - Advised users to always verify minimums on-chain using the relevant contract calls. - No functional code changes; update strictly improves clarity and onboarding for bounty creators and contributors.
v1.0.1
- Added multi-chain support: use the `POIDH_CHAIN` variable to target `arbitrum`, `base`, or `degen` (contract addresses are resolved automatically). - Removed manual `POIDH_CONTRACT_ADDRESS` configuration; it is now derived from `POIDH_CHAIN`. - Updated task instructions and URLs to adapt dynamically to the selected chain. - Environment variable setup, chain references, and explorer/documentation links are clarified for all supported networks.
v1.0.0
Initial Commit
元数据
Slug poidh
版本 1.0.3
许可证
累计安装 0
当前安装数 0
历史版本数 4
常见问题

POIDH Bounty Bot 是什么?

Post bounties and evaluate/accept winning submissions on poidh (pics or it didn't happen) on Arbitrum, Base, or Degen Chain. Use this skill when the user wan... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 557 次。

如何安装 POIDH Bounty Bot?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install poidh」即可一键安装,无需额外配置。

POIDH Bounty Bot 是免费的吗?

是的,POIDH Bounty Bot 完全免费(开源免费),可自由下载、安装和使用。

POIDH Bounty Bot 支持哪些平台?

POIDH Bounty Bot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 POIDH Bounty Bot?

由 saltoriousSIG(@saltorioussig)开发并维护,当前版本 v1.0.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论