ClawHub

circle-wallet

v1.0.17

USDC wallet capabilities for OpenClaw agents via Circle Developer-Controlled Wallets

5· 4k·0 current·0 all-time
by@eltontay
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Circle USDC wallet) match the code and declared dependencies (@circle-fin/developer-controlled-wallets). The CLI and SDK calls are appropriate for creating wallets, checking balances, sending USDC, and requesting testnet tokens.
Instruction Scope
The SKILL.md and CLI instruct only wallet-related actions (setup/configure/create/balance/send/drip). Instructions ask the user to run npm install/npm link locally and to provide an API key; there are no instructions to read unrelated system files or to exfiltrate arbitrary data.
Install Mechanism
The skill is listed as instruction-only (no platform install spec), but the bundle includes full source and a package.json with a postinstall build. Installation relies on npm (pulls packages from npmjs.org, including @circle-fin/developer-controlled-wallets). This is a typical workflow but requires the user to run npm install/npm link manually — not an arbitrary URL download.
!
Credentials
The registry metadata declares no required env vars or primary credential, yet SKILL.md and the CLI clearly require/provide using a Circle API key and an entity secret. The skill saves API key/entitySecret to ~/.openclaw/circle-wallet/config.json (plaintext) which is expected for a local CLI but is sensitive and should be noted. There are no unrelated credentials requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It writes only to its own config directory (~/.openclaw/circle-wallet/) and does not modify other skills or system-wide settings. Network access is limited to Circle's API via the SDK.
Assessment
This skill appears to implement the Circle developer-controlled wallet functionality it advertises, but take these precautions before installing: - Verify the source: the package.json points to a GitHub repo (https://github.com/eltontay/clawhub_circle_wallet_skill). Inspect that repo or contact the author before trusting it in production. - Credentials: the tool requires a Circle API key and an entity secret. The registry metadata did not list these, but SKILL.md and the CLI use and store them. Expect these secrets to be saved in plaintext at ~/.openclaw/circle-wallet/config.json and wallets.json — restrict file permissions and avoid using high-privilege production keys until you trust the code. - Use sandbox first: test with CIRCLE_ENV=sandbox and sandbox API keys and the drip/testnet flows before using mainnet credentials or real funds. - Installation: you (or your admin) must run npm install in the skill folder (it depends on packages from npmjs.org). Review package-lock.json for dependency sources and versions if you have strict supply-chain requirements. - Least privilege & rotation: create limited Circle API keys when possible and rotate/revoke them if you stop using the skill. If you want a deeper assurance, ask the maintainer for a signed release, or have someone you trust audit the included source and the external @circle-fin dependency before granting production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ccpkfpnrkxhfvj438mm0e580cjp0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments