Passive Savings Crypto
v1.0.0Put idle USDC to work earning yield for you or your agent's wallet. Funds grow automatically and move like regular USDC when you're ready. No protocol intera...
⭐ 0· 86·0 current·0 all-time
byMarvin Arnold@marvinmarnold
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and tools: this is a CLI/skill for minting, checking, and transferring sUSDC on Linea. Minor wording mismatch: the description/README say "No protocol interactions," but the scripts call a Locker Router deposit and ERC20 approve/transfer functions (on-chain protocol interactions) — likely intended to mean "no manual multi-step protocol flow," not literally no on-chain calls.
Instruction Scope
SKILL.md instructions map directly to the scripts (node scripts/*). At runtime the agent will read AGENT_PRIVATE_KEY and RPC_URL and call Linea RPC endpoints; the scripts do not read or transmit other local files or hidden endpoints. The skill prints links to autohodl.money/docs, but there is no evidence of outbound telemetry beyond RPC calls.
Install Mechanism
Installation is npm install (package.json uses viem). This is a normal, expected install mechanism for a Node.js tool; dependencies come from the npm registry (package-lock.json present). No arbitrary downloads or extract-from-URL steps are used.
Credentials
Only AGENT_PRIVATE_KEY and RPC_URL are required, which is proportionate for a wallet-signing tool. Caveats: AGENT_PRIVATE_KEY is highly sensitive (provides full control of the wallet). The mint script requests infinite USDC approval for the Locker Router (maxUint256) — a common DeFi convenience but increases risk if the router contract or its keys are compromised. The default fallback RPC (https://linea.drpc.org) will be used if RPC_URL is unset — choose a trusted RPC provider.
Persistence & Privilege
Skill is not always-included and does not modify other skills or system-wide settings. package.json offers an install-skill helper that copies SKILL.md into the user's Claude skills folder (reasonable for this ecosystem). Autonomous invocation is permitted (platform default) but not combined with other privilege escalations in this package.
Assessment
This skill appears to do what it says: sign Linea transactions to mint/check/transfer sUSDC. Before installing or running it: (1) Only provide AGENT_PRIVATE_KEY to environments you fully control — it's the raw wallet private key and grants full custody. Prefer using a dedicated hot wallet with limited funds rather than your primary wallet. (2) Review and verify the hard-coded contract addresses (USDC, sUSDC, Locker Router) against official sources; if they are wrong or malicious, funds could be lost. (3) Be aware minting performs an infinite USDC approve for the Router (maxUint256); that is convenient but increases attack surface if the Router contract or keys are compromised — consider changing the code to request an approval equal to the deposit amount if you prefer conservative behavior. (4) Use a trusted RPC provider (set RPC_URL explicitly) — RPC operators see your transaction activity and can influence mempool behavior (but cannot learn your private key). (5) If you plan to let an autonomous agent invoke this tool, lock agent permissions and limit wallet funds available to the agent. If you want a higher-assurance setup, avoid placing raw private keys in environment variables and instead use a signing provider/hardware wallet integration (this code currently expects a raw private key).Like a lobster shell, security has layers — review code before you run it.
latestvk97egmjb579agmf809kwhyf0y183vm3w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis
Binsnode
EnvAGENT_PRIVATE_KEY, RPC_URL
Primary envAGENT_PRIVATE_KEY