Para Wallet
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its wallet purpose, but the provided instructions give an agent raw blockchain-signing power without clearly requiring human review before signatures are produced.
Only install this if you are comfortable letting an agent access a Para API key and request wallet signatures. Verify the skill against Para's official documentation, use beta/testnet first, restrict and rotate credentials, and require manual review of each transaction or data payload before signing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent signs the wrong opaque data, the resulting signature could authorize an unintended blockchain transaction or other irreversible action if broadcast later.
The skill exposes a raw signing endpoint for arbitrary hex data and serialized transactions. That is purpose-aligned, but it is a high-impact action and the provided instructions do not show a required approval or transaction-inspection step before signing.
POST /v1/wallets/{walletId}/sign-raw ... Signs arbitrary data ... Sign a serialized Solana transactionRequire explicit user confirmation before every signing request, decode and summarize transaction contents, restrict allowed wallet IDs/chains, prefer beta or testnet during development, and avoid signing opaque data the user has not reviewed.
Anyone or any agent workflow with access to this API key may be able to perform Para wallet operations within the key's permissions.
The skill requires a Para API key for every wallet operation. This is expected for the stated service, but it gives the agent credentialed access to create wallets and request signatures.
openclaw.requires.env: ["PARA_API_KEY"] ... Auth: Pass your API key in the `X-API-Key` header on every request
Use the least-privileged Para key available, keep it out of logs and prompts, rotate it if exposed, and limit agent access to the key unless the agent is trusted to create wallets and request signatures.
Users have less registry-level evidence that this skill is an official Para-published integration or that its endpoint guidance is maintained.
The registry does not provide a source repository or homepage, which makes provenance harder to verify for a skill that asks users to configure a wallet-service API key.
Source: unknown Homepage: none
Verify the API endpoints and setup instructions against Para's official documentation before providing credentials or using mainnet wallets.