Openclast Wallet
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a transparent wallet guidance skill with approval and key-safety warnings, but users should treat it carefully because wallet actions and key export are high-impact.
This skill is not showing malicious behavior in the provided artifacts, but wallet actions are sensitive. Before using it, confirm you trust the wallet CLI, keep approval mode on, verify every transaction, and avoid private-key export unless you fully understand the risk.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may help prepare blockchain sends, approvals, or contract calls; if approved, those actions may be irreversible.
The skill instructs the agent around wallet transaction operations, which can have irreversible financial impact, but it explicitly requires a pending transaction and user approval by default.
All send/approve/contract operations create a **pending transaction** that requires explicit approval.
Review every pending transaction, recipient, chain, amount, and approval scope before allowing broadcast; keep notify/approval mode unless you deliberately configured auto mode with strict limits.
If a private key is exported or exposed, anyone who obtains it could control the wallet.
Private-key export is highly sensitive account authority. The artifact acknowledges the risk and requires confirmation, so this is a purpose-aligned note rather than a concern.
Never expose private keys by default. If the user asks for export: - Require explicit confirmation. - Warn that key export is dangerous and should be protected.
Avoid exporting private keys unless absolutely necessary, use OS keychain storage where possible, and never paste exported keys into untrusted chats, files, or tools.
Running an unverified wallet CLI could change local wallet configuration or interact with wallet state outside what was reviewed here.
The skill references an external CLI and installer-style command, while the provided package is instruction-only and does not include the CLI implementation or install provenance.
`openclast-wallet setup` creates `wallet-config.json` in the current folder. ... `openclast-wallet install-skill`
Only install or run the openclast-wallet CLI from a trusted source, inspect generated configuration, and avoid running installer commands blindly.