ClawHub

MuHaven RWA Portfolio (rehearsal)

Confidential real-world-asset (RWA) portfolio agent built on MuHaven's Fhenix-CoFHE-encrypted token primitives. Read your encrypted balances, stage yield claims, draft buys + claims for human confirmation. Position tools NEVER auto-submit — every state-mutating action goes through a three-tier confirmation surface (inline button ≤$200, Mini App + 6-digit OTP $200-$5K, deep-link passkey >$5K).

Audits

Pass
ClawScanReview

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install muhaven-rwa-skill-rehearsal

MuHaven RWA Portfolio — OpenClaw skill

This skill bundles a curated subset of @muhaven/mcp plus an OpenClaw-shaped config bundle. It runs in OpenClaw's NemoClaw runtime (or any MCP host that honours the manifest's permissions block) and connects to the live MuHaven backend at https://api.muhaven.app.

What it does

  • Reads your encrypted RWA portfolio — balances stay encrypted with Fhenix CoFHE; the skill never sees plaintext.
  • Stages buy + claim intents for the OpenClaw surface — the skill never auto-submits. Every intent emits a structured confirmation request to one of three tiers based on amount.
  • Surfaces audit log for compliance / forensics.
  • /pause kill-switch uninstalls the on-chain @zerodev/permissions validator within one Arb block.

What it intentionally cannot do

  • Move funds without your passkey. The skill issues unsigned UserOp envelopes; signing happens in the muhaven-broker daemon (≤$200 inline callback) or in your dashboard / Mini App (>$200 tiers).
  • Speak to anything outside the egress allowlist. manifest.json's network.deny_default: true means a tampered binary cannot exfiltrate to a third party.
  • Read or write your filesystem. permissions.filesystem.{read,write}: [].
  • Spawn child processes. permissions.process.spawn: [].
  • Store any secret. JWT lives in muhaven-broker's OS-keychain entry; the skill calls the broker over Unix-socket / named-pipe IPC.

How to install

  1. Install plain OpenClaw + ClawHub CLI globally: 
    npm install -g openclaw@latest clawhub
openclaw --version    # confirm install
clawhub --version
    (Runtime decision 2026-05-11: plain OpenClaw under sandbox.fallback: host_native. NemoClaw remains the preferred runtime claim in manifest.json for forward-compat; today's deploy targets plain OpenClaw.)
  2. Install the broker daemon separately as a global so its bin lands on $PATH regardless of ClawHub's bin-handling: 
    npm install -g @muhaven/mcp@0.1.2
muhaven-broker --version    # sanity check
    (ClawHub install resolves the skill's transitive @muhaven/mcp dep into a runtime-local node_modules. The muhaven-broker bin may not surface on $PATH without this separate global install.)
  3. Install the skill: 
    clawhub install muhaven-rwa-skill@0.1.0
  4. Start the broker daemon: muhaven-broker (see @muhaven/mcp README).
  5. Authenticate: muhaven-broker login — opens browser to https://muhaven.app/link?code=XXXX-XXXX, complete passkey.
  6. Optional: link your Telegram account for the /agent/openclaw/* confirmation surface. From the dashboard /agent page → Telegram tab → "Link Telegram" → message the bot at @muhaven_bot with the one-time link code.

Confirmation tiers

The skill never executes a state-mutating action without a confirmation. Three tiers based on intent notional (USDC):

RangeSurfaceWhy
≤ $200Telegram inline keyboard "Confirm" buttonLow blast radius. Same trust model as a $200 mobile wallet payment — single-tap inline.
$200 – $5,000Mini App with 6-digit OTP sent via separate Telegram messageDefends against a chat-stuffing attack where the LLM emits a Confirm button users tap on autopilot. OTP is out-of-band.
> $5,000Deep-link to dashboard https://muhaven.app/agent/confirm?intent=… for passkey signaturePhishing-resistant by construction — WebAuthn RP-ID is bound to the dashboard origin; a Telegram-based MITM cannot complete passkey.

Tier boundaries are audit-logged in agent_audit_events with the amount-bucket the intent fell into. Investors can lower the boundaries in the dashboard /agent policy tab; they cannot raise them above the hardcoded ceilings (regulatory + Reg BI Care Obligation).

Hardening invariants (do NOT relax without audit)

  • permissions.network.deny_default: true — every new endpoint requires a manifest update + signed re-publish.
  • permissions.secrets.storage: os_keychain — paste-token UX is forbidden.
  • runtime.type: node — no shell, no Python, no JIT-compiled blob.
  • mcp.toolset_subset is the only set of tools the skill will dispatch to — additions require an ADR + signed re-publish.
  • Sigstore signing + GitHub OIDC trusted publishing — long-lived ClawHub tokens are not used. ClawHavoc (Feb 2026) precedent.
  • required_reviewers: 2 — single-maintainer publish is rejected at the policy gate. Two-maintainer release is the lesson from the Anthropic MCP SDK STDIO arbitrary-command CVEs (Apr 2026).

Tool inventory (subset of @muhaven/mcp)

See manifest.json and the upstream descriptors in @muhaven/mcp/src/tools/descriptions.ts. The skill only re-advertises the mcp.toolset_subset listed in this frontmatter; descriptor SHA-256 hashes are pinned in tool-hashes.json and verified on every skill load (mcp-context-protector pattern, post-MCPoison).

Reference docs

  • ADR-C in development/research-docs/WAVE_4_AGENTIC_RESEARCH_RESULT.md
  • development/DEV_WAVE_4/TOOL_NAMESPACE.md for the full naming surface
  • development/DEV_WAVE_4/THREAT_MODEL_P0.md for OWASP LLM + Agentic mappings

License

MIT. See LICENSE in the repository root.