← Back to Skills Marketplace
739
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install openfunderse-participant
Description
Participant MoltBot for allocation proposal, validation, and submission
Usage Guidance
Before installing: 1) Treat PARTICIPANT_PRIVATE_KEY as highly sensitive — use a dedicated wallet with minimal funds and never reuse admin/treasury keys. 2) Review the npm package source (@wiimdy/[email protected]) before running npx, or install/from a vetted artifact in an isolated environment. 3) The installer/bot-init will write envs and wallet files under ~/.openclaw and may restart the OpenClaw gateway — back up ~/.openclaw/openclaw.json and consider using --no-sync-openclaw-env and --no-restart-openclaw-gateway. 4) Prefer running this skill on a separated VM/container if you want to limit blast radius. 5) Verify RELAYER_URL and TRUSTED_RELAYER_HOSTS values and avoid allowing plain HTTP relayers unless you understand the network risks. If you need greater assurance, ask the publisher for the package source or a signed release and for details about exactly what bot-init writes and where.
Capability Analysis
Type: OpenClaw Skill
Name: openfunderse-participant
Version: 2.0.2
The skill is classified as suspicious due to several high-risk capabilities and potential vulnerabilities, despite lacking clear evidence of intentional malicious behavior. Key indicators include the `installCommand` in `SKILL.md` which executes remote code via `npx @wiimdy/[email protected]`, introducing a supply chain risk. The skill also handles a highly sensitive `PARTICIPANT_PRIVATE_KEY` (generating, storing backups in `~/.openclaw/workspace/openfunderse/wallets`, and using it for signing), and modifies global OpenClaw runtime state by updating `~/.openclaw/openclaw.json` and restarting the gateway. While these actions are described as part of its legitimate function, they represent significant attack surfaces and powerful capabilities that could be exploited if the external package is compromised or if configurations like `PARTICIPANT_ALLOW_HTTP_RELAYER` are set insecurely.
Capability Assessment
Purpose & Capability
The declared env vars (RPC_URL, RELAYER_URL, CHAIN_ID, PARTICIPANT_PRIVATE_KEY, PARTICIPANT_ADDRESS, BOT_ID, and submission flags) and need for node/npm align with a participant that signs and submits allocation claims on a chain. Nothing requested appears unrelated to the stated participant role.
Instruction Scope
SKILL.md instructs using npx to install a runtime, optionally generating/rotating a wallet, writing env vars into ~/.openclaw/openclaw.json and wallet backups under ~/.openclaw/workspace/openfunderse/wallets, and restarting the OpenClaw gateway. These actions are within the domain of a participant bot but give the skill broad discretion to mutate global agent state and persist keys to disk — important to be aware of.
Install Mechanism
Installation is via an npx command that fetches @wiimdy/openfunderse from npm at runtime. Fetching and executing remote npm code is normal for JS tooling but introduces risk: the package code runs on install and should be reviewed before running in production.
Credentials
Required envs are numerous but relevant for wallet-based blockchain interaction. The primary credential is PARTICIPANT_PRIVATE_KEY (highly sensitive) — the README explicitly warns about this and recommends a dedicated key. The volume of envs is defensible but increases the attack surface if mismanaged.
Persistence & Privilege
The skill (via install/bot-init) writes private keys and envs into user home paths and triggers an OpenClaw gateway restart, which affects global runtime state and other skills. While this may be required for operation, it is a meaningful privilege that warrants caution (backup existing openclaw.json, use flags to avoid auto-sync/restart, or run in isolated environment).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openfunderse-participant - After installation, invoke the skill by name or use
/openfunderse-participant - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.2
Improve Security part skill release
v2.0.1
Improve Security part skill release
v2.0.0
Improve Security part skill release
v1.1.2
Improve Security part skill release
Metadata
Frequently Asked Questions
What is OpenFunderse Participant?
Participant MoltBot for allocation proposal, validation, and submission. It is an AI Agent Skill for Claude Code / OpenClaw, with 739 downloads so far.
How do I install OpenFunderse Participant?
Run "/install openfunderse-participant" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenFunderse Participant free?
Yes, OpenFunderse Participant is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenFunderse Participant support?
OpenFunderse Participant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenFunderse Participant?
It is built and maintained by wiimdy (@wiimdy); the current version is v2.0.2.
More Skills