Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Wallet CLI
v1.4.0Manage crypto wallets (Ethereum, Solana, Polygon, Arbitrum, Base) via agent-wallet-cli. Use for checking balances, sending tokens (ETH/SOL/ERC-20/SPL), signi...
⭐ 0· 827·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (wallet CLI) match the declared binary and npm install. Required env vars (WALLET_PASSWORD, WALLET_SESSION_TOKEN) and required binary (agent-wallet-cli) are directly related to the claimed functionality. No unrelated services, credentials, or unexpected config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run agent-wallet-cli commands to init/import/unlock/send/lock/export and to use session tokens for automation. This is in-scope for a wallet CLI. Important security note in the instructions: session tokens allow signing/sending transactions; WALLET_PASSWORD (if provided) is more powerful. The instructions also encourage installing globally and using --yes for non-interactive flows, which intentionally gives the agent power to perform irreversible transfers — this is expected but high-risk in practice.
Install Mechanism
Install is via npm (agent-wallet-cli), which is an expected package source for a CLI distributed on npm. This is a typical install method; npm supply-chain risks apply but the mechanism itself is coherent and not unusual or suspicious.
Credentials
Only two sensitive env vars are declared and both are appropriate for a wallet CLI. They are optional and documented. However, a WALLET_SESSION_TOKEN enables signing and sending transactions (the primary operational capability), and WALLET_PASSWORD would enable more powerful actions (init/import/export). The sensitivity is proportional but operationally powerful — avoid giving WALLET_PASSWORD to the agent and prefer short-lived session tokens.
Persistence & Privilege
Skill does not request always:true and does not ask to modify other skills or system-wide configs. Autonomous invocation is allowed (platform default); combined with session tokens this could let the agent act without user prompts, which is expected behavior for automation but should be considered when granting tokens.
Scan Findings in Context
[no_regex_findings] expected: Scanner found no code files to analyze (skill is instruction-only with an install spec). This is expected; absence of findings does not prove safety — you should still verify the npm package and repository before use.
Assessment
This skill appears to do what it claims, but it handles live signing keys. Before installing: 1) Audit the GitHub repo and verify the npm package matches the repo (npm info/compare checks). 2) Never give the agent your WALLET_PASSWORD; instead unlock the wallet yourself and provide a time-limited WALLET_SESSION_TOKEN with a short duration. 3) Test with small amounts and short sessions first. 4) Run in an isolated environment if possible and avoid storing tokens in long-lived environment variables or shell history. 5) Revoke/lock the wallet after use and rotate credentials if anything looks off.Like a lobster shell, security has layers — review code before you run it.
latestvk97dk62yvsfjc4dk257typ16jx81etc6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsagent-wallet-cli
EnvWALLET_PASSWORD (sensitive, optional): Wallet encryption password — passed via --password or piped via stdin. Only needed for init/import/unlock/export., WALLET_SESSION_TOKEN (sensitive, optional): Time-limited session token (wlt_...) from unlock. Used for all operations via --token.
Install
Install agent-wallet-cli (npm)
Bins: agent-wallet-cli
npm i -g agent-wallet-cli