Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent-Wallet
v1.0.1Route wallet workflows for agents that need to generate or import wallets using either a seed phrase or private key. Use when the user asks for wallet creati...
⭐ 0· 74·0 current·0 all-time
byAkinsuyi Joshua@beardkoda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the SKILL.md content align: the skill documents wallet generation, import, balance checks, and sending via viem. However, registry metadata lists no required environment variables or credentials while the SKILL.md explicitly requires RPC_URL, SEED_PHRASE, and PRIVATE_KEY; that metadata omission is an inconsistency that should be resolved.
Instruction Scope
The runtime instructions stay within the stated wallet purpose: they describe derive/import/generate flows, balance reads, and send flows, and include explicit guardrails (ask before reading secrets, never print full secrets, require confirmations for broadcasts). The docs reference only expected files/env (process.env.* examples) and standard RPC endpoints — no unexpected external endpoints or data-exfiltration steps are present.
Install Mechanism
This is instruction-only and has no install spec. It requires Node.js 18+ and the 'viem' package but does not specify how/where dependencies are installed. That is not inherently malicious, but it means the runtime environment must already provide viem or the agent/platform will need to install it — check how your platform installs third-party packages before use.
Credentials
The sensitive environment inputs requested by the SKILL.md (RPC_URL, SEED_PHRASE, PRIVATE_KEY) are appropriate for a wallet skill. The concern is that the registry metadata does not declare any required env vars or a primary credential, and the skill source is 'unknown' with no homepage — this mismatch and lack of provenance reduces trust and increases the risk that secrets could be mishandled if the agent or platform does not enforce the documented guardrails.
Persistence & Privilege
The skill does not request permanent always-on inclusion and does not attempt to modify other skills or system-wide settings. It instructs storing secrets in secure secret storage (vault/key manager) which is appropriate; confirm your platform's secure storage mechanism will be used rather than ad hoc persistence.
What to consider before installing
This skill appears to be a legitimate wallet workflow spec, but exercise caution: 1) The registry metadata lacks declared env vars while the docs require RPC_URL, SEED_PHRASE, and PRIVATE_KEY — verify where and how these secrets will be stored and accessed before providing them. 2) Confirm the platform enforces the SKILL.md guardrails (agent must prompt for consent before reading secrets and must not echo full secrets). 3) Ensure 'viem' and Node.js are installed from official sources on the runtime and that the platform does not silently fetch arbitrary code. 4) Because the skill source and homepage are unknown, avoid using it with real/mainnet funds until you have tested flows on a testnet and validated secret storage behavior. 5) If possible, review any runtime code the agent will execute (or require the skill author to publish source) to confirm there are no hidden exfiltration steps. If you cannot verify these points, treat the skill as untrusted for handling real private keys or seed phrases.Like a lobster shell, security has layers — review code before you run it.
latestvk9705qxgkqsmrwx7cthj0gp3n984nrbm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.