← Back to Skills Marketplace
Potato Tipper
by
Jean Cvllr
· GitHub ↗
· v1.0.2
446
Downloads
1
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install potato-tipper
Description
Skill for AI agents to setup the Potato Tipper on a Universal Profile on LUKSO (requires private key), and learn to build innovative tip-on-follow solutions.
Usage Guidance
Do not paste or upload your private key into the agent. The skill's scripts and examples require a controller PRIVATE_KEY and will broadcast transactions (set data on your Universal Profile and authorize token operator allowances). The registry metadata failing to declare those env vars is a red flag — assume the skill will ask you to provide them if you follow the 'one-click' path. If you want to use this skill safely:
- Review the included code locally (repo is on GitHub) before running anything.
- Run setup only from your own trusted environment (not by pasting secrets into a chat/agent) and use a test account on testnet first.
- Prefer granting minimal controller permissions and temporary budgets; consider toggling permissions off after setup.
- If you must interact via an agent, restrict it to read-only operations (code review, explanation, or encoding helpers) and refuse any request to supply PRIVATE_KEY or other secret values.
- If the registry metadata is supposed to list required env vars, ask the publisher to correct that mismatch before trusting automated flows.
Capability Analysis
Type: OpenClaw Skill
Name: potato-tipper
Version: 1.0.2
The skill is classified as suspicious due to its direct handling of a user's private key and reliance on an external GitHub repository. The `SKILL.md` and `scripts/setup_potato_tipper.sh` explicitly instruct the AI agent to use a `PRIVATE_KEY` environment variable to sign and broadcast blockchain transactions via `forge script`. While the Solidity script (`SetupPotatoTipper.s.sol`) and the shell script appear to perform legitimate configuration actions for the 'Potato Tipper' application, the direct exposure and use of a private key by an AI agent represent a critical vulnerability. Additionally, the `setup_potato_tipper.sh` script performs a `git clone` from an external URL (`https://github.com/CJ42/potato-tipper-contracts.git`), introducing a supply chain risk if that repository were ever compromised. These are significant security risks, even without clear evidence of intentional malicious exfiltration or unauthorized actions within the provided code.
Capability Assessment
Purpose & Capability
The name/description (install PotatoTipper on a LUKSO Universal Profile) matches the provided files: ABIs, encoding helpers, Foundry/TypeScript examples, and a setup script. However the registry metadata claims 'Required env vars: none' while the scripts and SKILL.md explicitly require a controller PRIVATE_KEY and several other env vars (TIP_AMOUNT, UP_ADDRESS, etc.). That mismatch is unexpected and warrants caution.
Instruction Scope
SKILL.md and included files provide step-by-step setup that instructs cloning the GitHub repo and running a Foundry script which expects PRIVATE_KEY and will broadcast transactions to the LUKSO RPC. The runtime instructions therefore go beyond passive reading: they direct actions that change on‑chain state and authorize token allowances. This is within the skill's stated purpose but requires handling a private key and running repo code — both high-risk operations if done via an agent or without manual oversight.
Install Mechanism
There is no formal install spec (instruction-only), but the included shell script clones a public GitHub repo (github.com/CJ42/potato-tipper-contracts) and executes a Foundry script. Cloning from GitHub is a common, traceable pattern (lower risk than arbitrary URLs), but executing code from a remote repo that will broadcast transactions increases risk and should be done locally by the user after manual review.
Credentials
The skill effectively requires a sensitive PRIVATE_KEY (EOA controller key) plus other env vars to perform its main function, yet the registry metadata lists no required env vars or primary credential. Asking for a private key is proportionate to the action of configuring a UP on-chain, but the omission in metadata is an incoherence and a security concern: the agent or script may prompt for or request sensitive credentials unexpectedly. Also the scripts authorize an operator on the user's token (spend allowance), which is a powerful action and must be considered by the user.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or global agent settings. The default ability for the agent to invoke the skill autonomously is allowed by platform defaults; combined with the above credential/transaction concerns this increases potential blast radius if the agent were given a private key or instructed to run the setup automatically. Treat autonomous runs as risky when private keys are involved.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install potato-tipper - After installation, invoke the skill by name or use
/potato-tipper - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Simplified and clarified the skill description and audience.
- Refocused on setup, configuration, and technical guidance for Potato Tipper on LUKSO Universal Profiles.
- Highlighted core learning areas: protocol understanding, troubleshooting, configuring permissions/data keys, and tip-on-follow integrations.
- Explicitly stated TypeScript and Solidity code example support.
- Non-essential/overly detailed architectural explanations trimmed for brevity.
- No file or functional changes to code; documentation only.
v1.0.1
- Added an audience-friendly summary at the top describing Potato Tipper and common use-cases.
- Streamlined workflows to focus on setup, permissions, and integration (testing/deployment commands moved or removed).
- Workflow order revised: configuration/setup workflow is now featured as the first technical step for users.
- Clarified the skill’s usage for understanding, troubleshooting, and innovating with Potato Tipper.
- Minor edits for conciseness, clarity, and consistent formatting throughout the documentation.
v1.0.0
Potato Tipper 1.0.0
- Initial release of the potato-tipper skill for interacting with the Potato Tipper Foundry smart-contract repo.
- Covers architecture, LUKSO/LSP integrations (LSP1, LSP7, LSP26, ERC725Y), tests, deployment, permissions, and security review.
- Includes detailed setup instructions, code examples in TypeScript and Solidity, and quick-start workflows.
- Provides one-click Foundry script for configuring a Universal Profile with PotatoTipper and tipping budget.
- Reference links to deployed contract addresses and manual configuration details.
Metadata
Frequently Asked Questions
What is Potato Tipper?
Skill for AI agents to setup the Potato Tipper on a Universal Profile on LUKSO (requires private key), and learn to build innovative tip-on-follow solutions. It is an AI Agent Skill for Claude Code / OpenClaw, with 446 downloads so far.
How do I install Potato Tipper?
Run "/install potato-tipper" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Potato Tipper free?
Yes, Potato Tipper is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Potato Tipper support?
Potato Tipper is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Potato Tipper?
It is built and maintained by Jean Cvllr (@cj42); the current version is v1.0.2.
More Skills