ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Autonomous Agent Skills

CornerStone MCP x402 skill for agents. Tools for stock predictions, backtests, bank linking, and agent/borrower scores. Payment-protected MCP tools (run_prediction, run_backtest, link_bank_account, get_agent_reputation_score, get_borrower_score, by-email variants) with x402 flow (Aptos + Base). Skill handles 402 → pay → retry. Wallet attestation for onboarding. For marketplaces where agents download and use skills autonomously.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 3.5k · 17 current installs · 20 all-time installs
by@Josephrp
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (x402 payments, predictions/backtests, bank linking, reputation scores) align with the included code (aptos/evm wallet, x402/mcp client, tools). Required binaries (node/npm) are appropriate. However registry/metadata declares no required env vars or config paths even though SKILL.md and package.json document many expected environment variables (X402_FACILITATOR_URL, HUGGINGFACE_API_KEY/HF_TOKEN, APTOS/EVM wallet paths or private keys, LLM_MODEL, etc.), which is an inconsistency that reduces transparency.
!
Instruction Scope
Runtime instructions and scripts read local wallet files (~/.aptos-agent-wallets.json, ~/.evm-wallets.json) and/or environment private keys (APTOS_PRIVATE_KEY, EVM_PRIVATE_KEY) and sign attestation/payment payloads, call external facilitator endpoints, and perform on-chain actions. Those actions are necessary for the stated payment capability, but the SKILL.md instructs the agent to access secrets and local wallet files that were not declared in the skill metadata and to contact external endpoints (facilitator, arnstein.ch flow page, GitHub raw URLs) — this is scope-expanding and should be explicit to users.
Install Mechanism
There is no install spec provided by the registry (lowest transport risk). The package includes a full Node.js project with package.json/package-lock and many dependencies (LangChain, viem, @aptos-labs packages). Installing would require npm and will pull third-party packages from npm; that's expected for this functionality but the registry metadata not marking required env/config is inconsistent with the code. No remote arbitrary archive downloads were found.
!
Credentials
The skill requires access to sensitive secrets in practice (wallet private keys, HF API keys, facilitator URL, optional GH_TOKEN) to operate, but the registry lists no required env vars or primary credential. The number and sensitivity of these credentials are proportionate to a payments/wallet skill — but they must be disclosed. The metadata omission is a red flag: the skill will access local keys/files and environment variables that a user may not expect to be needed.
Persistence & Privilege
always:false (no forced inclusion). disable-model-invocation:false (normal) — so the skill can be invoked autonomously by the agent. Given the skill can sign on-chain payments and retry MCP calls automatically, autonomous invocation increases blast radius (the agent could initiate payments). This is expected for a payment-capable tool, but users should be aware and restrict keys/funds to testnets or require user confirmation for spends.
What to consider before installing
This skill appears to implement what it claims (Aptos/EVM wallets, x402 payment flow, prediction/backtest/bank-link tools), but pay close attention before installing or supplying secrets: 1) Metadata omits required env vars/config — the code expects X402_FACILITATOR_URL, wallet private keys or wallet files (APTOS_PRIVATE_KEY, EVM_PRIVATE_KEY, APTOS_WALLET_PATH, EVM_WALLET_PATH), HF API keys, etc. 2) The skill reads/writes local wallet files and can sign transactions and submit payments — do NOT provide mainnet private keys or large balances; use testnet keys/funds only. 3) Verify the facilitator URL and repository source (package.json points at a GitHub repo); confirm the code you install matches the upstream repo and that the facilitator service is trustworthy. 4) If you need to allow autonomous agent invocation, restrict its permissions or require explicit user approval for payment actions. 5) If unsure, review the src/ files (attest-*, signPayment, mcp client) yourself or run the skill in a sandboxed/test environment first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.1.1
Download zip
latestvk97944er3dpnkhg64fp1j11b0580zhy5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsnode, npm

SKILL.md

CornerStone MCP x402 Skill (for Agents)

This skill gives you (the agent) a set of tools to: create and manage Aptos and EVM wallets, check balances, and call x402-paid MCP tools (stock prediction, backtest, bank linking, agent/borrower scores). Payment is automatic — when a paid tool returns 402, the skill signs, verifies, settles, and retries transparently. You just call the tool; the result comes back.

Quick-start workflow

Follow this sequence on first use, then skip to the tool you need:

  1. Check wallets → call get_wallet_addresses (no args).
  2. If empty → call create_aptos_wallet then create_evm_wallet.
  3. Fund → call credit_aptos_wallet (Aptos faucet) and fund_evm_wallet (EVM faucet instructions).
  4. Tell the user to whitelist the returned addresses at https://arnstein.ch/flow.html.
  5. Check balance → call balance_aptos (must have USDC for predictions/backtests) and/or balance_evm (must have ETH for bank linking).
  6. Use paid toolsrun_prediction, run_backtest, link_bank_account, or score tools.

Important: Paid tools will fail with a wallet/whitelist error if the address has not been funded and whitelisted. Always verify wallets and balances first.

Tool reference

Wallet management tools (local)

get_wallet_addresses

  • Args: none
  • Returns: { aptos: [{ address, network }], evm: [{ address, network }] } — may be empty arrays.
  • When to use: Always call first before any wallet or paid tool action. Determines what exists.
  • Decision: If both arrays are empty → create wallets. If only one is empty → create the missing one. If both have entries → proceed to balance check or paid tools.

create_aptos_wallet

  • Args: { force?: boolean, network?: "testnet" | "mainnet" } — defaults: force=false, network=testnet.
  • Returns: { success, address, network, message } or { success: false, message, addresses } if wallet exists and force=false.
  • When to use: When get_wallet_addresses returns empty aptos array, or user requests a new wallet.
  • Error handling: If success: false and wallet already exists, either use the existing wallet or retry with force: true to add another.

create_evm_wallet

  • Args: { force?: boolean, network?: "testnet" | "mainnet" } — defaults: force=false, network=testnet.
  • Returns: { success, address, network, message } or { success: false, message, addresses }.
  • Same pattern as create_aptos_wallet.

credit_aptos_wallet

  • Args: { amount_octas?: number } — default 100,000,000 (= 1 APT).
  • Returns on devnet: { success: true, address } (programmatic faucet funded).
  • Returns on testnet: { success: true, address, faucet_url } (instructions only; no programmatic faucet).
  • Prerequisite: Aptos wallet must exist (create_aptos_wallet first).
  • Note: Funded APT is for gas; tools pay in USDC (~6¢). The user may need to acquire testnet USDC separately.

fund_evm_wallet

  • Args: none
  • Returns: { success: true, address, faucet_url, message } (manual funding instructions).
  • Prerequisite: EVM wallet must exist (create_evm_wallet first).
  • Note: Returns a Base Sepolia faucet URL. The user must fund manually; there is no programmatic faucet.

Balance tools (local)

balance_aptos

  • Args: none
  • Returns: { address, balances: { usdc, apt } } or { error }.
  • When to use: Before calling run_prediction, run_backtest, or score tools to confirm sufficient USDC.

balance_evm

  • Args: { chain?: string } — default "base". Supported: base, baseSepolia, ethereum, polygon, arbitrum, optimism.
  • Returns: { address, chain, balance, symbol } or { error }.
  • When to use: Before calling link_bank_account to confirm sufficient ETH on Base Sepolia.
  • Note: For testnet tools, use chain: "baseSepolia".

Paid MCP tools (x402 — payment handled automatically)

All paid tools accept both Aptos and EVM payment. The skill picks the best option or follows PREFERRED_PAYMENT_ORDER. You never see 402 errors — just call the tool and get the result or an error message.

run_prediction

  • Args: { symbol: string, horizon?: number } — symbol is a stock ticker (e.g. "AAPL"), horizon is days (default 30).
  • Returns: Prediction result object (forecast data, confidence intervals, etc.) or { error }.
  • Cost: ~6¢ USDC (Aptos or EVM).
  • Prerequisite: Funded + whitelisted Aptos or EVM wallet.
  • Example call: run_prediction({ symbol: "AAPL", horizon: 30 })

run_backtest

  • Args: { symbol: string, startDate?: string, endDate?: string, strategy?: string } — dates in "YYYY-MM-DD", strategy defaults to "chronos".
  • Returns: Backtest result (returns, drawdown, sharpe, etc.) or { error }.
  • Cost: ~6¢ USDC.
  • Example call: run_backtest({ symbol: "TSLA", startDate: "2024-01-01", endDate: "2024-12-31", strategy: "chronos" })

link_bank_account

  • Args: none
  • Returns: { link_token } or account ID for Plaid bank linking, or { error }.
  • Cost: ~5¢ (EVM/Base).
  • Prerequisite: Funded + whitelisted EVM wallet (Base Sepolia for testnet).

get_agent_reputation_score

  • Args: { agent_address?: string, payer_wallet?: string } — both optional; uses the configured wallet if omitted.
  • Returns: { reputation_score: number } (e.g. 100) or 403 if not allowlisted, or { error }.
  • Cost: ~6¢ via x402, or free with lender credits (pass payer_wallet).

get_borrower_score

  • Args: { agent_address?: string, payer_wallet?: string } — same pattern.
  • Returns: { score: number } (100 base; higher with bank linked) or { error }.
  • Cost: ~6¢ via x402, or free with lender credits.

get_agent_reputation_score_by_email

  • Args: { email: string, payer_wallet?: string } — resolves email to allowlisted agent.
  • Returns: { reputation_score: number } or { error }.
  • Prerequisite: SCORE_BY_EMAIL_ENABLED must be set on the server. Higher fee.

get_borrower_score_by_email

  • Args: { email: string, payer_wallet?: string } — same pattern.
  • Returns: { score: number } or { error }.
  • Prerequisite: SCORE_BY_EMAIL_ENABLED must be set on the server. Higher fee.

Decision tree for common tasks

"Run a prediction for X"

get_wallet_addresses
  → aptos empty? → create_aptos_wallet → credit_aptos_wallet → tell user to whitelist
  → aptos exists? → balance_aptos
    → has USDC? → run_prediction({ symbol: "X", horizon: 30 })
    → no USDC? → tell user to fund USDC, provide address

"Link a bank account"

get_wallet_addresses
  → evm empty? → create_evm_wallet → fund_evm_wallet → tell user to whitelist
  → evm exists? → balance_evm({ chain: "baseSepolia" })
    → has ETH? → link_bank_account
    → no ETH? → fund_evm_wallet (returns faucet URL)

"Get my scores"

get_wallet_addresses
  → has aptos or evm? → get_agent_reputation_score + get_borrower_score
  → neither? → create wallets first, whitelist, then query

Error handling

Error patternMeaningWhat to do
"No Aptos wallet"Wallet file missingCall create_aptos_wallet
"No EVM wallet"Wallet file missingCall create_evm_wallet
"already exist. Use force: true"Wallet exists, not overwritingUse existing wallet, or pass force: true to add another
"Payment verification failed"Insufficient funds or wrong assetCheck balance; tell user to fund the wallet
"No Aptos wallet configured" / "No EVM wallet configured"Paid tool needs wallet that doesn't existCreate the missing wallet type
"Unsupported chain"Invalid chain name for balance_evmUse one of: base, baseSepolia, ethereum, polygon, arbitrum, optimism
"timed out after 300s"MCP call took too longRetry once; the server may be under load
"403" or "not allowlisted"Wallet not whitelistedTell user to whitelist address at https://arnstein.ch/flow.html

Setup (for the human installing this skill)

  1. Install: npm install from repo root. Copy .env.example to .env.
  2. Configure: Set wallet paths (APTOS_WALLET_PATH, EVM_WALLET_PATH or EVM_PRIVATE_KEY).
  3. Wallets: Create via tools (create_aptos_wallet, create_evm_wallet) or CLI (node src/setup-aptos.js, node src/setup.js). Fund and whitelist all addresses at https://arnstein.ch/flow.html.

CLI commands (from repo root)

TaskCommand
Generate Aptos walletnpm run setup:aptos
Generate EVM walletnpm run setup
Show addresses for whitelistnpm run addresses
Credit Aptos (devnet)npm run credit:aptos (set APTOS_FAUCET_NETWORK=devnet)
EVM balancenpm run balance -- <chain>
Transfer ETH/tokensnpm run transfer -- <chain> <to> <amount> [tokenAddress]
Swap tokens (Odos)npm run swap -- <chain> <fromToken> <toToken> <amount>
Run skill demonpx cornerstone-agent "Run a 30-day prediction for AAPL"
Attest Aptos walletnpm run attest:aptos
Attest EVM walletnpm run attest:evm

Source: FinTechTonic/autonomous-agent

Files

53 total
Select a file
Select a file to preview.

Comments

Loading comments…