ClawHub

Solana + Polymarket + X Wallet Agent

v1.1.2

Manage Solana and Polygon wallets, run Polymarket weather arbitrage, post to X/Twitter, and execute Raydium swaps — all from natural language.

0· 324·2 current·2 all-time
byinspiration_gx@inspi-writer001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements Solana + EVM wallet management, Polymarket CLOB order placement, Raydium swaps, a pump.fun/screener, and X/Twitter posting — which aligns with the skill name/description. The required secrets (master encryption values and X API tokens) are consistent with those capabilities: the master password decrypts locally stored keys and the X tokens are required to post and read tweets. The Polymarket integration uses wallet EIP-712 signatures to derive API credentials, which is expected for that API model.
!
Instruction Scope
SKILL.md asserts the CLI 'reads only the specific env vars listed', but the code reads additional environment variables and paths (e.g., POLYGON_RPC_URL / POLYGON_RPC, RAPHAEL_DATA_DIR, EVM_WALLET_STORE_PATH, PUMPPORTAL_WS). The skill also writes wallet stores and caches to a data directory (default ~/.raphael) even though README/installation text emphasizes ~/.openclaw/.env for credentials. The skill opens network connections to multiple external services (Solana RPC, Polygon RPC, pumpportal.fun websocket, clob.polymarket.com, Twitter/X APIs) — expected for functionality, but SKILL.md understates which envs/paths are used and where persistent state is stored.
Install Mechanism
The registry entry indicates 'instruction-only' but the package includes package.json, a bin/ script, and a node install hint in SKILL.md (install.node: ["."]). In practice the skill bundles Node.js code and depends on npm packages (ethers, @solana/web3.js, twitter-api-v2, etc.). That is a common approach but it means runtime dependencies will be installed from public registries — moderate risk compared to pure instruction-only skills. There is no download-from-arbitrary-URL pattern in the manifest, and code is included in the package, not pulled from an obscure host.
Credentials
The required environment variables are relevant to the skill (MASTER_* values to decrypt local wallets, SOLANA_RPC_URL for Solana RPC, and multiple X/Twitter tokens for posting/searching). Requiring the master encryption password is high privilege and appropriate for a wallet manager, but it means the operator must trust the skill with the ability to decrypt private keys (even though keys are stored encrypted on disk). No unrelated cloud or admin credentials are requested, which is good, but the quantity of X/Twitter tokens (api key/secret + access token/secret + bearer) is high — expected for full read/write Twitter API access.
Persistence & Privilege
The skill writes persistent state (wallets.json, evm-wallets.json, PID files and other files) into a data directory (default ~/.raphael). It does not set always:true and doesn't request system-wide privileges, but it will persist wallet records (encrypted private keys) and cache derived Polymarket API credentials. This is expected for a wallet/trading skill but increases the attack surface (encrypted blobs & caches remain on disk).
What to consider before installing
Before installing or providing secrets: - Review the full source yourself (repo URL is provided) or have someone audit it; this skill will be able to decrypt wallets if you provide MASTER_ENCRYPTION_PASSWORD_CRYPTO + MASTER_ENCRYPTED + MASTER_SALT. - Expect the skill to store state under a data directory (default ~/.raphael) — wallet records, cached API creds, and PID files — and to make network calls to Solana RPC, Polygon RPC, pumpportal.fun, clob.polymarket.com and X/Twitter APIs. - The SKILL.md makes some inaccurate claims: it says the CLI reads only certain env vars and points to ~/.openclaw/.env for credentials, but the code also reads optional envs (POLYGON_RPC_URL, RAPHAEL_DATA_DIR, etc.) and writes to ~/.raphael by default. Do not assume the skill is limited to only the listed variables. - Treat MASTER_ENCRYPTION_PASSWORD_CRYPTO as a high-value secret. If you proceed, use a dedicated low-value/test wallet first (dry-run mode) and avoid putting large funds under the managed wallets until you are satisfied. - Prefer running the skill in an isolated environment (separate user account or VM), and verify the npm dependencies and package.json if running npm install. - Use the skill's dry-run options and start with small tests: create a wallet, list balances, and run the scanner with --dry-run and minimal privileges before enabling live trading or auto-posting. If you want, I can point to specific files/lines to check (e.g., where stored files are written and where network requests are made) or summarize exactly what would happen when you create a wallet or start the scanner.

Like a lobster shell, security has layers — review code before you run it.

latestvk979wnegxv89kqx8v9e7wt11fs82beaq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
OSmacOS · Linux
Any binnode, tsx
EnvMASTER_ENCRYPTION_PASSWORD_CRYPTO, MASTER_ENCRYPTED, MASTER_SALT, SOLANA_RPC_URL, X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET, X_BEARER_TOKEN
Primary envMASTER_ENCRYPTION_PASSWORD_CRYPTO

Comments