ClawPurse
v2.0.2Local Neutaro chain wallet for managing NTMPI tokens, supporting balance checks, transfers, transaction history, staking, and allowlist enforcement.
⭐ 2· 572·1 current·1 all-time
byMhue AI@mhue-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, code files (wallet, keystore, staking, security), and SKILL.md capabilities (balance, send, staking, allowlist) are consistent — the codebase matches the stated wallet purpose.
Instruction Scope
SKILL.md instructs the agent/person to run npm install / build / npm link and to use CLAWPURSE_PASSWORD (env var) and to read/write local files (~/.clawpurse/keystore.enc, receipts, allowlist). Those actions are appropriate for a local wallet but the runtime instructions reference an env var that isn't declared in registry metadata. The instructions also suggest backing up and exporting mnemonics (sensitive operations) and recommend not logging them — this is expected but high-risk if an agent is allowed to act autonomously.
Install Mechanism
No install spec was provided in registry metadata, but SKILL.md requires running npm install, building, and npm link. The code bundle is present in the skill. Lack of an explicit install spec in the registry is an omission (it means manual installation is required and there is no automated sandboxing or declared binaries).
Credentials
Registry metadata lists no required environment variables or primary credential, yet SKILL.md and the programmatic examples rely on CLAWPURSE_PASSWORD (and implicitly on local keystore files). A wallet skill that manages mnemonics/keys should declare required secrets/credentials up front; the omission is disproportionate and may mislead users about the sensitive data the skill will handle.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill writes and reads its own keystore and receipts in ~/.clawpurse which is expected for a local wallet. Nothing indicates it modifies other skills or system-wide agent settings.
Scan Findings in Context
[no-findings] expected: Static pre-scan reported no injection signals. This is not proof of safety — the package contains source handling private keys and network RPCs, which merits manual code review.
What to consider before installing
This package is largely coherent with its stated purpose (a local Neutaro wallet) and contains full source and docs. However: (1) it handles sensitive secrets (mnemonic, keystore) and will read/write ~/.clawpurse — only install if you understand and accept local key storage risks; (2) SKILL.md uses CLAWPURSE_PASSWORD but the registry metadata does not declare any required env vars or credentials — treat this as an omission and plan to set the env var securely if you use it; (3) there is no automated install spec in the registry though SKILL.md asks you to run npm install/build/npm link — review package.json scripts and audit the code before running install/build steps; (4) if you intend to let an agent call this autonomously, enable allowlist enforcement, restrict agent permissions, and consider using hardware wallets or keeping funds in a separate account with strict limits to reduce blast radius. If you want to proceed: review src/keystore.ts and src/security.ts to confirm encryption/key handling, test locally in an isolated environment, and avoid placing large balances under an agent-controlled key until you are confident in the code and guardrails.Like a lobster shell, security has layers — review code before you run it.
latestvk97fsc3gqkad9b2k0x40qy7h8582cr84
License
MIT-0
Free to use, modify, and redistribute. No attribution required.