ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Wallet

Discover supported cryptocurrencies, generate deposit addresses, and withdraw crypto to external wallets.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 122 · 0 current installs · 0 all-time installs
by@D9m1n1c
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (list coins, generate deposit addresses, withdraw funds) matches the API endpoints in SKILL.md, but the declared requirement (only AIOT_API_BASE_URL) is incomplete: the endpoints are labeled 'Requires auth' and runtime text says to verify a bearer token, yet no credential env var (API key, bearer token, client secret) is declared. Also the declared primaryEnv is a base URL (not a credential), which is unusual.
!
Instruction Scope
SKILL.md gives concrete API flows and security guidance (ask for transaction PIN each time, don't cache secrets), which is appropriate, but it leaves authentication acquisition undefined (it says 'verify session has a valid bearer token' without describing how to obtain or store it). The default base URL is a 'dev' host (https://payment-api-dev.aiotnetwork.io), which means calls could go to a development environment by default — surprising for a production crypto wallet and potentially dangerous if users assume production endpoints.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the registry package itself. This is the lowest install risk.
!
Credentials
Only AIOT_API_BASE_URL is required/declared. That is insufficient for an API labeled 'Requires auth' and for withdrawal operations that normally require credentials and user verification. The skill asks for a 4-digit transaction PIN at runtime but gives no secure channel or storage guidance for delivering that PIN to the service. The default base URL being a dev host increases the risk of misconfiguration or accidental data exposure to an unintended endpoint.
Persistence & Privilege
The skill does not request always:true and does not declare any config paths or system-wide changes. Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal; there is no indication the skill requests persistent privileges beyond normal runtime use.
What to consider before installing
This skill describes legitimate crypto wallet operations but is missing critical pieces: it only asks for an API base URL (not any credentials) while its API calls require a bearer token, and it defaults to a development API hostname. Before installing or using it, verify these things with the publisher: (1) where and how bearer tokens or API keys are supplied (declare required env vars), (2) confirm the correct production API endpoint (do not use the dev URL unless you control that environment), (3) ensure you trust the unknown source/homepage (no homepage provided), and (4) never provide transaction PINs or credentials unless you have verified the endpoint and its TLS certificate. If you cannot get clear answers and a trustworthy homepage/repo, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97f5hbe0m3etctm76rcb0060s838jgf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIOT_API_BASE_URL
Primary envAIOT_API_BASE_URL

SKILL.md

Crypto Wallet

Use this skill when the user needs to deposit cryptocurrency into their wallet or withdraw to an external address.

Configuration

The default API base URL is https://payment-api-dev.aiotnetwork.io. All endpoints are relative to this URL.

To override (e.g. for local development):

export AIOT_API_BASE_URL="http://localhost:8080"

If AIOT_API_BASE_URL is not set, use https://payment-api-dev.aiotnetwork.io as the base for all requests.

Available Tools

  • get_coins — List all supported cryptocurrencies | GET /api/v1/wallet/coins | Requires auth
  • get_coin_networks — List supported blockchain networks for a specific coin | GET /api/v1/wallet/coins/:coin_id/networks | Requires auth
  • get_deposit_address — Generate or retrieve a deposit address for a coin on a specific network | POST /api/v1/wallet/deposit/address | Requires auth
  • get_withdraw_quote — Get a quote for a crypto withdrawal (fees, limits) | POST /api/v1/wallet/withdraw/quote | Requires auth
  • initiate_withdraw — Start a crypto withdrawal to an external address | POST /api/v1/wallet/withdraw | Requires auth
  • get_withdraw_status — Check the status of a crypto withdrawal | GET /api/v1/wallet/withdraw/:id | Requires auth
  • confirm_withdraw — Confirm a pending crypto withdrawal | POST /api/v1/wallet/withdraw/:id/confirm | Requires auth | Requires transaction PIN

Recommended Flows

Deposit Crypto

Generate a deposit address and fund your wallet with crypto

  1. List coins: GET /api/v1/wallet/coins — find the coin you want to deposit
  2. Get networks: GET /api/v1/wallet/coins/:coin_id/networks — choose the blockchain network
  3. Get address: POST /api/v1/wallet/deposit/address with {coin_id, network_id} — returns deposit address
  4. Send crypto to the returned address from your external wallet

Withdraw Crypto

Send crypto from your wallet to an external address

  1. Get quote: POST /api/v1/wallet/withdraw/quote with {coin_id, network_id, amount, address}
  2. Initiate: POST /api/v1/wallet/withdraw with quote details
  3. Confirm: POST /api/v1/wallet/withdraw/:id/confirm (requires transaction PIN)
  4. Track: GET /api/v1/wallet/withdraw/:id — monitor until completed

Rules

  • Always verify the correct network before depositing — sending to the wrong network will lose funds
  • Withdrawal follows a quote-then-confirm pattern — confirmation requires a transaction PIN
  • Deposit addresses are deterministic — the same coin+network always returns the same address

Agent Guidance

Follow these instructions when executing this skill:

  • Always follow the documented flow order. Do not skip steps.

  • If a tool requires authentication, verify the session has a valid bearer token before calling it.

  • If a tool requires a transaction PIN, ask the user for it fresh each time. Never cache or log PINs.

  • Never expose, log, or persist secrets (passwords, tokens, full card numbers, CVVs).

  • If the user requests an operation outside this skill's scope, decline and suggest the appropriate skill.

  • If a step fails, check the error and follow the recovery guidance below before retrying.

  • Always verify the user selected the correct blockchain network before generating a deposit address. Sending to the wrong network will permanently lose funds.

  • Withdrawal follows: get quote → initiate → confirm with transaction PIN. The confirmation step requires a 4-digit transaction PIN. Never skip the quote step.

  • Deposit addresses are deterministic — the same coin + network always returns the same address.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…