Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vincent - Agent Wallet
v1.0.0Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction. Also supports raw signing and polymarket betting.
⭐ 0· 1.3k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly requires an API key (Bearer token) to create and operate wallets on heyvincent.ai; however the registry metadata lists no primary credential or required env vars. That is inconsistent: the skill cannot function as documented without a secret but the package does not declare or surface that requirement. Also there is no source/homepage provided for the publisher, making it harder to validate.
Instruction Scope
The runtime instructions are narrowly focused on wallet operations (create wallet, get balances, transfer, swap, raw signing, polymarket betting). They explicitly instruct storing and using an API key (paths such as ~/.openclaw/credentials/agentwallet/<API_KEY_ID>.json or ./agentwallet/...), and describe interactions with a remote API (heyvincent.ai). They do not instruct reading unrelated system files, but they do instruct where to persist credentials which can increase risk if the files are accessible to other components.
Install Mechanism
Instruction-only skill with no install spec and no code files — low install risk. However it relies on outbound network calls to a third‑party domain (heyvincent.ai), which is expected for a hosted wallet service but should be verified by the user.
Credentials
Although the skill requires an API key to operate, the metadata declares no required environment variables or primary credential. That omission is disproportionate and problematic: the skill will expect and use a secret, but the platform won't prompt for or label it. The SKILL.md also recommends specific storage paths for credentials, which could be sensitive if other skills or processes can access them.
Persistence & Privilege
The skill does not request always:true and has typical autonomous-invocation defaults. That is normal. Note: if you grant the skill (or the agent) the API key, it can autonomously initiate transfers within the wallet's policy — so giving the key is effectively granting on‑chain transaction capability.
What to consider before installing
This skill appears to implement an agent-controlled wallet via a hosted API (heyvincent.ai). Before installing: (1) verify the publisher and service (no source/homepage provided here); (2) confirm you trust heyvincent.ai to custody private keys and to act on the agent's behalf; (3) insist that the registry metadata be updated to declare the required API key/primary credential so the platform can surface and protect it; (4) store any API keys securely (avoid world-readable locations) and prefer per-agent, least-privilege API keys and strict spending policies; (5) test with minimal funds and monitor transactions; (6) if you cannot validate the service or the publisher, do not provide real funds or long‑lived credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9703c993e5dm864gt5ke6eyh980jj4b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.