← 返回 Skills 市场
Potato Tipper
作者
Jean Cvllr
· GitHub ↗
· v1.0.2
446
总下载
1
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install potato-tipper
功能描述
Skill for AI agents to setup the Potato Tipper on a Universal Profile on LUKSO (requires private key), and learn to build innovative tip-on-follow solutions.
安全使用建议
Do not paste or upload your private key into the agent. The skill's scripts and examples require a controller PRIVATE_KEY and will broadcast transactions (set data on your Universal Profile and authorize token operator allowances). The registry metadata failing to declare those env vars is a red flag — assume the skill will ask you to provide them if you follow the 'one-click' path. If you want to use this skill safely:
- Review the included code locally (repo is on GitHub) before running anything.
- Run setup only from your own trusted environment (not by pasting secrets into a chat/agent) and use a test account on testnet first.
- Prefer granting minimal controller permissions and temporary budgets; consider toggling permissions off after setup.
- If you must interact via an agent, restrict it to read-only operations (code review, explanation, or encoding helpers) and refuse any request to supply PRIVATE_KEY or other secret values.
- If the registry metadata is supposed to list required env vars, ask the publisher to correct that mismatch before trusting automated flows.
功能分析
Type: OpenClaw Skill
Name: potato-tipper
Version: 1.0.2
The skill is classified as suspicious due to its direct handling of a user's private key and reliance on an external GitHub repository. The `SKILL.md` and `scripts/setup_potato_tipper.sh` explicitly instruct the AI agent to use a `PRIVATE_KEY` environment variable to sign and broadcast blockchain transactions via `forge script`. While the Solidity script (`SetupPotatoTipper.s.sol`) and the shell script appear to perform legitimate configuration actions for the 'Potato Tipper' application, the direct exposure and use of a private key by an AI agent represent a critical vulnerability. Additionally, the `setup_potato_tipper.sh` script performs a `git clone` from an external URL (`https://github.com/CJ42/potato-tipper-contracts.git`), introducing a supply chain risk if that repository were ever compromised. These are significant security risks, even without clear evidence of intentional malicious exfiltration or unauthorized actions within the provided code.
能力评估
Purpose & Capability
The name/description (install PotatoTipper on a LUKSO Universal Profile) matches the provided files: ABIs, encoding helpers, Foundry/TypeScript examples, and a setup script. However the registry metadata claims 'Required env vars: none' while the scripts and SKILL.md explicitly require a controller PRIVATE_KEY and several other env vars (TIP_AMOUNT, UP_ADDRESS, etc.). That mismatch is unexpected and warrants caution.
Instruction Scope
SKILL.md and included files provide step-by-step setup that instructs cloning the GitHub repo and running a Foundry script which expects PRIVATE_KEY and will broadcast transactions to the LUKSO RPC. The runtime instructions therefore go beyond passive reading: they direct actions that change on‑chain state and authorize token allowances. This is within the skill's stated purpose but requires handling a private key and running repo code — both high-risk operations if done via an agent or without manual oversight.
Install Mechanism
There is no formal install spec (instruction-only), but the included shell script clones a public GitHub repo (github.com/CJ42/potato-tipper-contracts) and executes a Foundry script. Cloning from GitHub is a common, traceable pattern (lower risk than arbitrary URLs), but executing code from a remote repo that will broadcast transactions increases risk and should be done locally by the user after manual review.
Credentials
The skill effectively requires a sensitive PRIVATE_KEY (EOA controller key) plus other env vars to perform its main function, yet the registry metadata lists no required env vars or primary credential. Asking for a private key is proportionate to the action of configuring a UP on-chain, but the omission in metadata is an incoherence and a security concern: the agent or script may prompt for or request sensitive credentials unexpectedly. Also the scripts authorize an operator on the user's token (spend allowance), which is a powerful action and must be considered by the user.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or global agent settings. The default ability for the agent to invoke the skill autonomously is allowed by platform defaults; combined with the above credential/transaction concerns this increases potential blast radius if the agent were given a private key or instructed to run the setup automatically. Treat autonomous runs as risky when private keys are involved.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install potato-tipper - 安装完成后,直接呼叫该 Skill 的名称或使用
/potato-tipper触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Simplified and clarified the skill description and audience.
- Refocused on setup, configuration, and technical guidance for Potato Tipper on LUKSO Universal Profiles.
- Highlighted core learning areas: protocol understanding, troubleshooting, configuring permissions/data keys, and tip-on-follow integrations.
- Explicitly stated TypeScript and Solidity code example support.
- Non-essential/overly detailed architectural explanations trimmed for brevity.
- No file or functional changes to code; documentation only.
v1.0.1
- Added an audience-friendly summary at the top describing Potato Tipper and common use-cases.
- Streamlined workflows to focus on setup, permissions, and integration (testing/deployment commands moved or removed).
- Workflow order revised: configuration/setup workflow is now featured as the first technical step for users.
- Clarified the skill’s usage for understanding, troubleshooting, and innovating with Potato Tipper.
- Minor edits for conciseness, clarity, and consistent formatting throughout the documentation.
v1.0.0
Potato Tipper 1.0.0
- Initial release of the potato-tipper skill for interacting with the Potato Tipper Foundry smart-contract repo.
- Covers architecture, LUKSO/LSP integrations (LSP1, LSP7, LSP26, ERC725Y), tests, deployment, permissions, and security review.
- Includes detailed setup instructions, code examples in TypeScript and Solidity, and quick-start workflows.
- Provides one-click Foundry script for configuring a Universal Profile with PotatoTipper and tipping budget.
- Reference links to deployed contract addresses and manual configuration details.
元数据
常见问题
Potato Tipper 是什么?
Skill for AI agents to setup the Potato Tipper on a Universal Profile on LUKSO (requires private key), and learn to build innovative tip-on-follow solutions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 446 次。
如何安装 Potato Tipper?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install potato-tipper」即可一键安装,无需额外配置。
Potato Tipper 是免费的吗?
是的,Potato Tipper 完全免费(开源免费),可自由下载、安装和使用。
Potato Tipper 支持哪些平台?
Potato Tipper 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Potato Tipper?
由 Jean Cvllr(@cj42)开发并维护,当前版本 v1.0.2。
推荐 Skills