tronlink-skills

v1.0.1

This skill should be used when the user asks to 'check my TRX balance', 'show my TRON holdings', 'what tokens do I have on TRON', 'check my TRON wallet', 'Tr...

⭐ 0· 192·0 current·0 all-time

bytrondev@bbsyaya

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bbsyaya/tronlink-skills.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "tronlink-skills" (bbsyaya/tronlink-skills) from ClawHub.
Skill page: https://clawhub.ai/bbsyaya/tronlink-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tronlink-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install tronlink-skills

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's name/description promise read-only TRON wallet queries. However the package contains an installer (install.sh), an MCP server (scripts/mcp_server.mjs) that registers global tools, and a large package-lock with crypto/web3 libs (tronweb, ethers, bip39, @noble/*, aes-js). Those dependencies are capable of key derivation/signing even though package.json declares no dependencies and README asserts 'read-only'. The mismatch between claimed scope and included components is disproportionate and unexplained.

ℹ

Instruction Scope

SKILL.md commands themselves are limited to running node scripts/tron_api.mjs with address/contract parameters (balance, token list, tx history, validate address). That is coherent with the stated purpose. However other docs (integration guides) and mcp_server instruct the agent/environment to execute these scripts (including uploading/trusting tron_api.mjs in remote Claude conversations). The installer also copies/edits project-level files (CLAUDE.md, symlinks into project directories) which expands the runtime scope beyond simple read-only queries.

Install Mechanism

Registry metadata said 'instruction-only' but the repository includes install.sh and an explicit curl | sh installation example (raw.githubusercontent.com). The installer clones from GitHub (a known host) and auto-registers MCP servers and symlinks into user config directories. While GitHub is a standard host, piping a remote install script to sh is a risky pattern and the presence of an installer not declared in the registry is an incoherence to surface.

ℹ

Credentials

The skill declares no required env vars in registry, but documentation references an optional TRONGRID_API_KEY and TRON_NETWORK. Those optional vars are appropriate for a TRON API client. However the repository includes cryptographic and wallet-related libraries (bip39, ethereum-cryptography, aes-js, tronweb/ethers in package-lock) that could be used to manage private keys; this contradicts the README's 'read-only' claim and merits inspection before granting any environment-level secrets or copying code into production.

Persistence & Privilege

The installer attempts to register a global MCP server (claude mcp add -s user tronlink) and create symlinks / copy files into user project/config directories (.cursor, ~/.agents/skills, ~/.config/opencode, etc.). Although always:false and autonomous invocation are normal, the install scripts modify other tools' configurations and register global tools — a higher privilege action that should be intentional and audited.

What to consider before installing

This package contains code and an installer despite being listed as 'instruction-only' — treat it as a code package, not just documentation. Before installing or running anything: 1) Inspect scripts/tron_api.mjs and the rest of scripts/ for any code that reads files, asks for or stores private keys, or posts data to unexpected endpoints. 2) Do NOT run the shown curl | sh installer without reviewing its contents; prefer to git clone the repo and read install.sh locally. 3) Verify repository origin (GitHub org and commit history) and confirm you trust it. 4) If you only need read-only queries, consider running individual scripts in a sandboxed environment (container or VM) and avoid registering the MCP server globally. 5) If asked to provide keys/secrets, refuse unless you reviewed the code that will use them; TRONGRID_API_KEY is reasonable for rate limits, but never provide private keys or seed phrases. If you want, I can scan scripts/tron_api.mjs and any remaining omitted files for specific risky operations (key handling, network exfiltration, unsafe shell execution) — give me permission to analyze those files further.

✗

scripts/mcp_server.mjs:398

Shell command execution detected (child_process).

✗

scripts/tron_api.mjs:21

Environment variable access combined with network send.

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977zck84qdvc7yfazrfm64wjx834cs7

192downloads

0stars

1versions

Updated 1h ago

v1.0.1

MIT-0

TRON Wallet Management

6 commands for wallet balance, TRC-20 holdings, transaction history, account info, address validation, and multi-sig support.

Pre-flight Checks

Confirm Node.js: Run `node -e "console.log('ok')" # Node.js >= 18 required
API Key (optional): For higher rate limits, set:
```
export TRONGRID_API_KEY="your-api-key"
```

Skill Routing

For token metadata / search → use tron-token
For market prices / charts → use tron-market
For DEX swap → use tron-swap
For energy / bandwidth → use tron-resource
For staking / voting → use tron-staking

Commands

1. Check TRX Balance

node scripts/tron_api.mjs wallet-balance --address <TRON_ADDRESS>

Returns: TRX balance (human-readable), frozen TRX, account creation time.

2. Check TRC-20 Token Balance

node scripts/tron_api.mjs token-balance --address <TRON_ADDRESS> --contract <TOKEN_CONTRACT>

Common TRC-20 contracts:

Token	Contract
USDT	`TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t`
USDC	`TEkxiTehnzSmSe2XqrBj4w32RUN966rdz8`
WTRX	`TNUC9Qb1rRpS5CbWLmNMxXBjyFoydXjWFR`
BTT	`TAFjULxiVgT4qWk6UZwjqwZXTSaGaqnVp4`
JST	`TCFLL5dx5ZJdKnWuesXxi1VPwjLVmWZZy9`
SUN	`TSSMHYeV2uE9qYH95DqyoCuNCzEL1NvU3S`
WIN	`TLa2f6VPqDgRE67v1736s7bJ8Ray5wYjU7`

3. Get All TRC-20 Holdings

node scripts/tron_api.mjs wallet-tokens --address <TRON_ADDRESS>

Returns: list of all TRC-20 tokens with balances, symbols, and USD values.

4. Transaction History

node scripts/tron_api.mjs tx-history --address <TRON_ADDRESS> --limit 20

Returns: recent transactions with type, amount, timestamp, status.

5. Account Info

node scripts/tron_api.mjs account-info --address <TRON_ADDRESS>

Returns: account creation date, permissions, resource overview, frozen balances, voting info.

6. Validate Address

node scripts/tron_api.mjs validate-address --address <ADDRESS>

Returns: whether the address is valid TRON Base58Check format.

Address Format Notes

TRON addresses start with T and are 34 characters long (Base58Check)
Hex addresses start with 41 and are 42 hex characters
Example: TNPeeaaFB7K9cmo4uQpcU32zGK8G1NYqeL
The script accepts both formats and auto-converts

Common Token Contracts (Mainnet)

USDT:  TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t
USDC:  TEkxiTehnzSmSe2XqrBj4w32RUN966rdz8
WTRX:  TNUC9Qb1rRpS5CbWLmNMxXBjyFoydXjWFR
TUSD:  TUpMhErZL2fhh4sVNULAbNKLokS4GjC1F4
BTT:   TAFjULxiVgT4qWk6UZwjqwZXTSaGaqnVp4
JST:   TCFLL5dx5ZJdKnWuesXxi1VPwjLVmWZZy9
SUN:   TSSMHYeV2uE9qYH95DqyoCuNCzEL1NvU3S
WIN:   TLa2f6VPqDgRE67v1736s7bJ8Ray5wYjU7
NFT:   TFczxzPhnThNSqr5by8tvxsdCFRRz6cPNq
APENFT: TFczxzPhnThNSqr5by8tvxsdCFRRz6cPNq

Troubleshooting

"Account not found": The address has never been activated on TRON. A minimum of 1 TRX must be sent to activate it.

"Bandwidth insufficient": The account has used up its daily free bandwidth (600). Either wait for daily reset, freeze TRX for bandwidth, or the transaction will burn TRX as fee.

"Energy insufficient for TRC-20": Smart contract calls require Energy. Freeze TRX for Energy via tron-staking, or TRX will be burned (often 13-27 TRX for a USDT transfer).

Comments

Loading comments...