Install
openclaw skills install crypto-guardianCrypto Guardian
Provides security guidance and checks for safely managing crypto wallets, keys, seed phrases, approvals, multisig, and incident response for AI agents.
Crypto Guardian
Comprehensive cryptocurrency security system for AI agents managing on-chain assets. Based on real-world theft patterns targeting AI agents and their conversation histories.
Threat Model: How AI Agents Get Robbed
Primary Attack Vector: Conversation History Scanning
Attackers actively scan public AI platforms, GitHub commits, and conversation logs for exposed private keys and seed phrases. A single private key in a chat history = immediate drain.
Real incident (2026-05-01):
- A private key was stored in SESSION-STATE.md
- AI conversation history was accessible to scanning systems
- Attacker found the key within minutes → drained ~$227 AUD in two transactions
Secondary Attack Vectors
- Phishing: Fake wallet apps, fake airdrops
- SIM-swap: SMS-based 2FA for exchanges
- Supply chain: Compromised hardware wallet sellers
- Smart contract exploits: Approved malicious tokens
- Social engineering: DMs promising "free crypto"
Gold Rules (Non-Negotiable)
1. Private keys and seed phrases MUST NOT exist in workspace files
Files that are NOT safe:
SESSION-STATE.mdworking-buffer.mdMEMORY.md.env(with the private key itself)- Any
.json,.txt,.mdin the workspace - Any AI conversation history (public platforms)
Safe alternatives:
.envonly, with keys referenced as env vars at runtime- Hardware wallets (keys never leave device)
- Encrypted storage with passphrase
- Wallets where private key is never stored at all (watch-only + hardware sign)
2. Never process private keys through AI conversation
- Don't send private keys in messages (even to "help analyze")
- Don't ask AI to sign transactions interactively in chat
- Use proper signing infrastructure (hardware wallet, air-gapped setup)
- Private key = one-time use, then never touches the network again
3. Assume all workspace files are public
- Every file written to workspace is potentially searchable
- Compaction services, memory systems, and search indexes all scan content
- If it would be bad if exposed, don't write it down
Wallet Architecture
Strategy: Compartmentalization
Hot Wallet (Small, Online)
- Purpose: Daily operations, small amounts
- Balance: $50-500 AUD max
- Examples: DEX trading wallet, Fiverr earnings wallet
- Always: Watch-only access where possible
Warm Wallet (Medium, Semi-Air-Gapped)
- Purpose: Active project funds, bounty earnings
- Balance: $500-5000 AUD
- Access: Hardware wallet for signing, watch-only for monitoring
- Examples: Jupiter DCA wallet, Grip Protocol wallet
Cold Wallet (Large, Offline)
- Purpose: Long-term holdings, savings
- Balance: >$5000 AUD
- Access: Hardware wallet only, no online access
- Storage: Physically separate from daily devices
Recommended Wallet Setup
Purpose | Wallet Type | Key Storage
---------------------|--------------------|----------------------
Trading/Active | Software (Solflare) | .env, never in files
Grip/Bounty Earn | Software (MetaMask) | Seed phrase in .env only
Long-Term Savings | Hardware (Ledger) | Never touches computer
Operational Security Checklist
Before Handling Any Crypto Asset
- Is this a new wallet or existing one?
- Will I need to store a private key or seed phrase?
- If YES: Can this be done with a hardware wallet instead?
- If YES: Can the signing happen on a different device than this agent?
- Is the amount worth the risk of key exposure?
When Creating New Wallets
- Generate on air-gapped hardware device OR in proper software wallet
- Immediately back up seed phrase to physical location (paper/metal)
- Verify the address BEFORE funding
- Delete any纸上残留的seed phrase notes
- Fund only after confirming backup is secure
When Signing Transactions
- Use hardware wallet or proper signing infrastructure
- Verify destination address on device screen
- Verify amount on device screen
- Never sign blind (don't sign unknown data)
- Set appropriate token approval limits (not unlimited)
For AI Agent Integration
- Use wallet APIs that don't expose raw private keys
- Store keys in environment variables, not files
- Use
signer.py/signer.tspattern: key in env → sign in-process - If possible, use wallet connectors (WalletConnect, Phantom) instead of raw keys
- Monitor with watch-only addresses (never put watch-only in signing context)
Token Approval Security
The Danger of "Unlimited Approvals"
When you approve a token spending, you often approve "unlimited" tokens. This means if the contract is malicious or hacked, they can drain your entire balance.
Rule: Always set specific approval limits, not unlimited.
How to Check Approved Tokens
# Check token approvals on Etherscan/Blockscan
# 1. Go to the address on Blockscan/Polkassembly
# 2. Click "Token Approvals"
# 3. Revoke any unused or suspicious approvals
# For Base network:
# https://basescan.org/tokenapprovalchecker
Approval Checklist
- Check approvals before using new dApp
- Revoke approvals for dApps you no longer use
- Use limited approvals (exact amount, not unlimited)
- Be extra careful with USDT, USDC, WETH (high value tokens)
Multi-Signature (Multisig) Setup
For amounts >$5000 AUD, consider multisig:
Gnosis Safe (Free, on Base)
- 2-of-3 signers: Hardware wallet + Ledger + Desktop
- Requires multiple devices to authorize any transaction
- Recovery: If one device lost, others still work
When to Use Multisig:
- Team/project funds (multiple decision makers)
- Long-term savings (>1 year)
- High-value holdings (>$5000 AUD)
- Any wallet that can't afford to be drained
Incident Response
If You Suspect a Key Has Been Exposed
- Act immediately — assume compromised until proven otherwise
- Check blockchain — look for outgoing transactions you didn't authorize
- If drained: Transaction is irreversible. Document for records.
- Revoke associated API keys: Any exchange keys that might be linked
- If fresh wallet: Move remaining funds to new wallet immediately
- Do NOT: Continue using the exposed key for anything
If You Discover a Drain
- Save transaction hashes — evidence for exchange reports
- Report to exchange (if funds were cashed out there)
- Check if it was a smart contract exploit — might be recoverable
- Accept the loss if on-chain and irreversible
Recovery Is Rare
Unlike credit cards, crypto transactions are irreversible. Prevention is the only real protection.
For OpenClaw Agents: Practical Implementation
Wallet Strategy for This Agent
Wallet Type | Address | Storage | Used For
---------------|-------------------|---------------|--------------------------
Active DCA | [DISCARDED] | None | (empty, was drained)
Bounty Earn | 0xD1089e... | .env only | Grip, ClawMoney
Watch-Only | [YOUR WALLET] | TOOLS.md | Monitor only
New DCA Wallet| TBD (new generation) | Hardware | Jupiter DCA (future)
Key Storage Rules
- Never write full private keys anywhere (except .env, which must be gitignored)
- Never in conversation: Even "let me check if this key is correct"
- Never in SESSION-STATE.md or working-buffer.md
- Never in memory files after session
- Use hardware wallet for any amount >$500 AUD
Environment Variable Pattern
# Correct: Private key in environment only
from dotenv import load_dotenv
load_dotenv()
private_key = os.environ["SOLANA_PRIVATE_KEY"] # Never written to file
# Wrong: Private key written to any workspace file
# private_key = "[PRIVATE KEY]" # NEVER DO THIS
Monitoring with Watch-Only Wallets
Use a different address for monitoring than for signing:
- Watch address: In TOOLS.md or config files
- Signing address: In hardware wallet only
This way, even if monitoring credentials are exposed, the funds are safe.
Summary: Security vs. Convenience
| Security Level | Use Case | Key Storage |
|---|---|---|
| Maximum | Long-term savings | Hardware wallet only |
| High | Active project funds | .env + careful handling |
| Medium | Daily trading | Software wallet, small balance |
| Low | Testing/learning | Any, small amounts |
Rule of Thumb: The cost of losing a wallet should never be life-changing. Keep only what you can afford to lose in hot wallets.
Emergency Contacts
- Base Network Scanner: https://basescan.org/
- Token Approval Checker: https://basescan.org/tokenapprovalchecker
- Revoke.cash: https://revoke.cash/
- Gnosis Safe (Multisig): https://app.safe.global/
- Ledger Recovery: https://www.ledger.com/stop-phishing-attacks
Crypto Guardian v1.0 — Created 2026-05-01 after real wallet theft incident