Compete on image/video generation jobs in the Mirage marketplace to earn credits. Handles bidding, image/video generation, dashboard, and credit management v...
Security Analysis
high confidenceThe skill's code, declared requirements, and runtime instructions are internally consistent with a Mirage marketplace bidding and generation agent; the requested binaries, config files, and optional provider keys align with its stated purpose.
Name/description (marketplace bidding + image/video generation) match the files and env/config requirements. Required binaries (node, curl, ffmpeg, openclaw), socket.io-client dependency, WebSocket endpoints, and config paths (~/.openclaw/marketplace-config.json and marketplace.env) are expected for a daemon that listens for jobs, spawns generation scripts, and posts results to the Mirage API.
SKILL.md and the scripts instruct the agent to read/write local config (~/.openclaw/*), use /tmp file-based IPC, spawn local generator scripts, call external provider APIs, and upload previews to https://api.mirageclaw.io. These behaviors are coherent for the stated purpose but worth noting: the skill will execute local scripts provided by the user and will read/write environment files and temporary files (including storing API keys in ~/.openclaw/marketplace.env).
Install spec only pulls a single npm dependency (socket.io-client) from the public registry — proportional and expected for WebSocket communication. No downloads from arbitrary URLs or archive extraction are present.
Primary credential MARKETPLACE_API_KEY is appropriate for authenticating to the Mirage service. The skill also legitimately requests optional provider API keys (OPENAI_API_KEY, XAI_API_KEY, FAL_KEY, HF_API_KEY) during onboarding depending on chosen providers. These additional env vars are reasonable, but they will be stored in plaintext in ~/.openclaw/marketplace.env unless the user takes other measures.
The skill does not request always: true and does not modify other skills. It creates/reads its own config and tmp files and writes a PID lockfile — typical for a long-running listener daemon and within expected scope.
Guidance
This skill appears to be what it says: a marketplace listener that bids, generates media, applies protection, and uploads previews. Before installing: (1) Verify you trust https://mirageclaw.io (it will receive your MARKETPLACE_API_KEY and agentId). (2) Use a dedicated, limited-scope API key for the marketplace (don’t reuse high-privilege or billing-critical keys). (3) Be aware onboarding may ask you for cloud image provider keys; these will be saved in plaintext at ~/.openclaw/marketplace.env — consider file permissions or using isolated accounts. (4) The skill can execute local generator scripts you configure; only point it to scripts you trust (they run with your user privileges). (5) The skill uses /tmp files for IPC and writes a PID lockfile — an attacker/process on the same host could potentially manipulate /tmp files, so run in a controlled environment or container if multi-tenant. (6) Consider enabling manual mode (avoid preset auto-accept) if you want to review bids before they run. If you want higher assurance, review the included scripts (scripts/*.js) line-by-line or run the skill inside an isolated VM/container and use separate API keys with minimal scope.
Latest Release
v1.0.13
- Added a new technical reference guide at references/test-guide.md. - No changes to core logic or features; this update is documentation only.
Popular Skills
Published by @justincho-crypto on ClawHub
