Back to skill
Skillv1.0.1
ClawScan security
AgentWallex Payment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 11, 2026, 11:51 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly matches a crypto-payment integration but has mismatches between its manifest and runtime instructions (where credentials are stored and optional env usage), and because it can perform fund transfers you should verify details before installing.
- Guidance
- Before installing: (1) Confirm you trust AgentWallex and the homepage/docs (verify domain and service legitimacy). (2) Ask the maintainer/platform to reconcile the manifest: SKILL.md expects a local config at ~/.openclaw/agentwallex/config.json and mentions AGENTWALLEX_BASE_URL, but the registry metadata claimed no config paths or env vars — this inconsistency should be fixed. (3) Only provide API keys via the documented setup flow; prefer sandbox/testnet API keys (awx_sk_test_*) until you've verified behavior. (4) Confirm that the OpenClaw platform enforces the declared human-confirmation for transfers (so the model cannot send funds without an explicit human OK). (5) Verify the saved config file permissions (0600) and consider whether you want live keys stored on this machine; if unsure, do not store production keys and use testnet only. If you can obtain the actual implementation (code that runs the requests) or platform assurances about human-confirmation and config handling, supply them to reduce uncertainty and raise confidence.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (manage agents, send USDC/USDT, multi-chain) aligns with the actions described in SKILL.md. Required binaries (curl, jq) are reasonable for making API calls and parsing JSON. However the registry metadata earlier reported no required config paths or env vars while SKILL.md clearly expects and documents a local config path (~/.openclaw/agentwallex/config.json) and an optional AGENTWALLEX_BASE_URL — that mismatch is surprising and should be reconciled.
- Instruction Scope
- concernSKILL.md instructs the agent to have the user create an API key in the AgentWallex dashboard and paste it back into the conversation, after which the skill will validate and save it locally. It also references an AGENTWALLEX_BASE_URL env var and many payment-related endpoints. The instructions therefore involve collecting and storing API keys and performing on-chain transfers — appropriate for purpose, but the SKILL.md grants the agent broad operational scope (create agents, send payments, query balances). The file claims 'zero-config' but then documents credential collection and local storage; the agent will handle secrets, so you should confirm how human confirmation is enforced and who can trigger transfers.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files, so nothing is downloaded or executed by an installer. That lowers install-time risk. It does reference ClawHub/OpenClaw plugin commands, which are normal documentation pointers. No remote download URLs or extracted archives are present.
- Credentials
- noteThe skill declares no required environment variables in the registry but the SKILL.md documents an optional AGENTWALLEX_BASE_URL and requires the user to supply an AgentWallex API key (awx_*) via conversation, which will be saved to a local config file. Asking for an API key is proportional to a payment skill, but the mismatch between 'no env vars/config paths' in the manifest and the SKILL.md's use of a config file and optional env var is inconsistent and worth confirming.
- Persistence & Privilege
- noteThe skill stores credentials locally at ~/.openclaw/agentwallex/config.json (claimed 0600). It is not marked always:true. Model invocation is allowed (platform default), so the agent can be invoked autonomously; SKILL.md metadata also declares humanConfirmation is required for 'transfer' and 'pay' actions. This combination is reasonable for a payment skill, but you should verify the platform actually enforces the human-confirmation step and that the saved config cannot be exfiltrated by other skills or processes.