Vincent - Agent Wallet
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed crypto-wallet integration, but it gives an agent broad financial transaction and signing authority without clearly showing per-action approval or tight scope limits in the provided artifacts.
Review carefully before installing. If you use it, create a new low-balance wallet, set strict spending and contract-call policies, require manual confirmation for every transaction or signature, and verify the Vincent/heyvincent.ai service before storing API keys or funding the wallet.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses the stored wallet credential with permissive policies, it could transfer assets, approve tokens, swap funds, or call contracts in ways the user did not intend.
The skill exposes APIs for irreversible on-chain financial actions, including arbitrary smart-contract interaction, but the visible artifact does not clearly require transaction-by-transaction user approval.
Transfer ETH or Tokens ... Execute a swap ... Send Arbitrary Transaction: Interact with any smart contract by sending custom calldata.
Use only with strict wallet policies, low spending limits, and explicit user review for every transfer, swap, signature, bet, or arbitrary contract call.
Anyone or any agent process that can read and use this API key may be able to operate the wallet within its policy limits.
The bearer token is a persistent delegated wallet credential for future API calls. In this context, credential access can translate into financial authority, not just read-only service access.
All API requests require a Bearer token ... store and retrieve it from `~/.openclaw/credentials/agentwallet/<API_KEY_ID>.json` ... use it as the Bearer token for all future requests
Treat the API key like a spending credential: restrict file access, rotate it if exposed, keep wallet policies narrow, and avoid storing keys for wallets with significant funds.
Users have limited artifact-based information for verifying the provider or implementation behind the wallet service.
There is no reviewed code package or homepage/source provenance in the provided artifacts, which matters more for a skill that routes financial actions through an external API.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the provider independently before funding the wallet or granting the agent meaningful spending authority.