Agent Wallet
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about being a hosted crypto wallet API, but it gives an agent broad, potentially irreversible blockchain transaction authority through an API key and an unreviewed remote service.
Review this carefully before installing or funding it. Only use it if you trust the hosted wallet provider, keep the API key secret, claim the wallet immediately, set strict spending limits and allowlists, require human approval where possible, and avoid arbitrary smart-contract transactions unless you fully understand them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent has the API key and the wallet is funded, a mistaken or manipulated request could move funds, approve tokens, or call contracts in ways that may be irreversible.
The skill exposes direct API operations for transfers, swaps, and arbitrary smart-contract calls. These are purpose-aligned for a wallet, but they are high-impact financial actions and the instructions do not clearly require explicit user approval before execution.
Transfer ETH or Tokens ... Execute a swap ... Send Arbitrary Transaction ... Interact with any smart contract by sending custom calldata.
Require explicit user confirmation for every transfer, swap, or arbitrary transaction; set strict allowlists and spending limits before funding the wallet.
Anyone or any agent with the API key may be able to operate the wallet within its configured policies.
The API key is a delegated credential for future wallet actions. Because those actions include transfers and arbitrary transactions, this is high-impact authority that should be carefully scoped and declared.
All API requests require a Bearer token (the API key returned when creating a wallet). ... `apiKey` -- store this securely; use it as the Bearer token for all future requests
Treat the API key like a financial credential: store it securely, rotate it if exposed, and do not fund the wallet until restrictive policies and approval requirements are in place.
Users must trust the remote service with wallet key generation and transaction execution, which is especially sensitive for funded crypto wallets.
The skill relies on a hosted third-party service to generate private keys and execute wallet operations. The provided artifacts include no service code, homepage, or source provenance to verify that custody and policy enforcement are implemented safely.
default to `https://safeskill-production.up.railway.app` ... This generates a private key server-side (you never see it)
Verify the provider, implementation, audit status, and recovery/rotation process before using this with real funds; start on testnets or with very small amounts.