Agent Wallet

Things to consider before installing: - Provenance: The skill has no source repo or homepage and defaults to an API hosted on a Railway app (https://safeskill-production.up.railway.app). Verify the author and the service before trusting it with funds. Ask for a public code repository, security audit, or a trustworthy vendor page. - Powerful credential: Creating a wallet yields an apiKey (Bearer token) that the agent will use to perform transfers, swaps, and arbitrary contract calls. That apiKey can move funds within whatever policies are configured. The skill metadata does not declare this requirement — treat the apiKey as a high-value secret. - Policies and human approval: Rely on strict, conservative policies (address/token/function allowlists, per-tx and daily spending limits) and enable explicit human approval for any transaction you would not expect automatically. Test thoroughly on a testnet wallet first. - Autonomous invocation risk: Because the agent can call the skill autonomously, do not allow it to hold real funds unless you are comfortable with the agent's decision-making boundaries. Prefer requiring manual approval for any non-trivial action. - Operational safeguards: If you proceed, rotate keys regularly, store the apiKey in a secure secrets store (not plaintext), restrict the API key scopes if possible, monitor transactions in real time, and limit the skill to minimal chains and tokens needed. - Alternatives: Consider self-hosting a wallet/back-end you control or using a well-known, audited custody/agent-wallet provider with clear source code and documentation. If you want to proceed safely, request the skill author for: (1) source code or deployment manifest, (2) a clear statement of exactly what privileges apiKey grants, and (3) instructions for scoping/rotating the apiKey and enabling mandatory human approvals.