ClawHub

usd1 transfer

v1.0.0

Securely transfer USD1 (USDC on Wormhole) between wallets via Wormhole Liquidity Facility on Testnet, returning transaction hash and status.

1· 1.3k·0 current·0 all-time
by@asgherali·duplicate of @asgherali/usd1transaction
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/SKILL.md describe a USD1 (Wormhole/USDC) transfer and the index.js implements a transfer using the Wormhole SDK. Required input (private key, amount, recipient) is consistent with a wallet transfer. Minor implementation issues (address format and numeric conversion) are present but do not indicate misalignment with the stated purpose.
Instruction Scope
SKILL.md confines behavior to performing a transfer and asks for the sender private key as a secure input. The runtime code only uses provided inputs and the Wormhole SDK; it does not read other files or unrelated environment variables. Note: instructions require direct private key input (raw key material), which expands the attacker surface if mishandled.
Install Mechanism
No install spec is provided (instruction-only), but a package.json and package-lock exist listing @wormhole-foundation/* and many third-party npm deps. There is no direct download-from-URL risk, but a dependency-heavy npm tree increases supply-chain risk and includes packages with deprecation/security notes (see guidance).
Credentials
No environment variables or external credentials are requested beyond the sender private key (provided as a secure input), which is proportionate for a wallet transfer. The skill does not demand unrelated secrets or system credentials.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config changes, and appears not to persist or escalate privileges. Agent autonomous invocation remains enabled by default (platform behavior) but is not requested by the skill itself.
Assessment
This skill appears to do what it says (transfer USD1 via Wormhole) but exercise caution before installing or running it with real funds: - Private key handling: the skill requires a raw privateKey input. Avoid pasting production private keys. Prefer a signing service, ephemeral/test keys, or hardware wallet integration rather than exposing raw keys to skills. - Test first: run only on testnet and with very small amounts until you verify behavior. SKILL.md says Testnet by default, but confirm runtime actually uses testnet endpoints in your environment. - Address format: double-check the recipient address encoding for the chosen chain (the code constructs a UniversalAddress with 'hex' which may be incorrect for some chains such as Solana). Sending to a malformed address can irreversibly lose funds. - Dependency/supply-chain risk: there is a package-lock with many npm dependencies (some with deprecation/security notes). Audit or vendor the dependencies and run dependency scanners before installing in sensitive environments. - Operational controls: restrict this skill to user-invoked use only (do not enable it to run autonomously), and review logs/outputs for unexpected network calls. If possible, require an explicit approval step before sending transactions. If you want, I can: (a) list the dependency warnings found in package-lock, (b) check the code for specific address-format fixes, or (c suggest a safer design that uses an external signer instead of raw private keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk9772120nwa02w4ee4bqbypbw980mqaf
1.3kdownloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@asgherali
latest
Download

USD1 WLF Transfer Skill

Description

Allows an agent to securely transfer USD1 (USDC on Wormhole) from one wallet to another using Wormhole Liquidity Facility (WLF).

Capabilities

  • Check sender wallet balance (optional)
  • Transfer a specified amount of USD1 to a recipient address
  • Return transaction hash and status
  • Uses Testnet by default for safety

Input Parameters

  • amount: number (required) - amount of USD1 to send (e.g. 1.0)
  • toAddress: string (required) - recipient wallet address (e.g. 0x123...)
  • chain: string (optional, default: Solana) - source chain
  • privateKey: string (secure, required) - sender wallet private key

Output

  • transactionHash: string
  • status: "success" or "failed"
  • message: string (details or error)

Security Notes

  • Never hardcode private keys
  • Use secure agent input for keys
  • Testnet only until production

Example Usage

/skill usd1-wlf-transfer amount=1.0 toAddress=0xabc123... chain=Solana

Comments

Loading comments...