Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Wallet
v0.1.1Wallets for AI agents with x402 payment signing, referral rewards, and policy-controlled actions.
⭐ 0· 1.5k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (agent wallet, x402 signing, policy‑controlled actions) align with the instructions: server-side signing and a proxy 'x402/fetch' endpoint. However, the skill also recommends downloading remote SKILL/HEARTBEAT files and acting as a general-purpose HTTP proxy for arbitrary target URLs/bodies — functionality that goes beyond simple wallet management and increases the attack surface. Also skill.json declares curl as a required binary while registry metadata listed none, an inconsistency.
Instruction Scope
Runtime instructions tell the agent to read/write ~/.agentwallet/config.json (expected) and to POST arbitrary URLs/bodies to frames.ag for proxying/payment. That means any data the agent passes to x402/fetch will be sent to frames.ag (potentially including sensitive payloads). The HEARTBEAT instructs fetching remote files from frames.ag into ~/.agentwallet which is a phone‑home/update pattern. These behaviors are within a plausible wallet design but materially broaden scope and present data‑exfiltration and remote‑update risks.
Install Mechanism
There is no install spec and no code files (instruction‑only), which lowers risk. However the included HEARTBEAT explicitly tells agents to curl skill metadata and download remote SKILL.md/HEARTBEAT.md into ~/.agentwallet — an update/phone‑home step that will pull remote content to disk. That is an instruction, not an automated install, but it still creates persistent remote code/contents on the host if followed.
Credentials
The skill does not request environment variables or external credentials from the platform. It relies on a per‑user apiToken produced by OTP flow and expects the agent to save/read ~/.agentwallet/config.json. Requiring a local token is proportionate for a server‑wallet service. Examples reference a FUND_API_TOKEN variable only as usage examples for authenticated API calls.
Persistence & Privilege
The skill instructs storing credentials and state under ~/.agentwallet and recommends periodic heartbeats/network checks. It does not request always:true or system‑wide changes, nor does it modify other skills. Still, the combination of local persistence plus recommended remote downloads and frequent network polling increases long‑term exposure if the remote service is compromised or abused.
What to consider before installing
This skill appears to implement a reasonable server‑wallet flow, but exercise caution before installing or following its instructions. Key things to consider:
- The x402/fetch endpoint proxies arbitrary target URLs and request bodies through frames.ag; do not send secrets, private keys, or sensitive documents through that proxy unless you fully trust frames.ag and have reviewed their privacy/security policies.
- The HEARTBEAT instructions advise periodically downloading remote SKILL.md/HEARTBEAT.md into ~/.agentwallet — that is a phone‑home/update mechanism. Treat it like installing remote code: verify the domain, HTTPS, and the operator before enabling automatic updates.
- The skill.json and SKILL.md show a minor metadata inconsistency (curl listed as a required binary in skill.json but the registry metadata showed none). Ask the maintainer to clarify required tools and exact behaviors.
- Prefer the web connect flow (user obtains and stores API token manually) over an agent automatically sending OTPs or emails on your behalf.
- If you proceed, restrict what the agent is allowed to send to the proxy (never leak user secrets), store ~/.agentwallet/config.json with strict permissions (chmod 600), and monitor network activity to frames.ag.
What would raise confidence to benign: code or published docs that explicitly restrict what may be proxied (e.g., server guarantees it will not retain or inspect payloads), an established, audited operator identity for frames.ag, and consistent metadata (required binaries, no implicit auto‑update instructions).Like a lobster shell, security has layers — review code before you run it.
latestvk97axv8sardw38scqy0e1dd6q5816cxh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.