Kite Agent Smart Wallet V3
v3.0.2Control Kite AI chain-wallet via Telegram using OpenClaw for wallet creation, balance checks, transfers, session keys, and spending limits without running a...
⭐ 0· 340·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to let users control Kite wallets via OpenClaw/Telegram, which is plausible, but the included code expects a signing private key (referenced in console output as KITE_WALLET_PRIVATE_KEY). The skill metadata declares no required environment variables or credentials — that is inconsistent with the code's need to hold a wallet private key to sign transactions.
Instruction Scope
SKILL.md describes commands and RPC/contract info but does not mention how the agent obtains the required wallet private key or where it should be stored. The runtime code will initialize a wallet from a private key and perform sends, create wallets, and add session keys (the addSessionKey call is configured to allow 'all functions' via a general selector), which implies sensitive, privileged actions that SKILL.md does not disclose or constrain.
Install Mechanism
There is no install spec (instruction-only), lowering install risk. However package.json/package-lock include ethers and other npm deps, so running the code will require installing node deps; the absence of an explicit install step is an operational omission but not itself malicious. Dependencies are standard and expected for Ethereum interaction.
Credentials
The code requires a wallet private key to sign transactions, but requires.env/primary credential are empty in the declared metadata. Requesting an uncompensated, undeclared secret that grants custody/transfer ability is disproportionate and should be explicitly declared and justified. The skill will have the ability to send funds and set session keys with broad permissions.
Persistence & Privilege
always is false and there are no declared config path or system-modifying behaviors. The skill does not request permanent, system-level presence. The main concern is secret custody rather than persistence or privilege escalation in the platform.
What to consider before installing
Do not install or use this skill until the author clarifies how signing keys are handled. Specific points to request/verify: 1) Where/how the wallet private key is provided and stored (the code expects a private key but SKILL.md/metadata do not declare this). 2) Who controls the private key used to create/send funds (giving the key to the agent equals giving custody of funds). 3) Why session keys are added with an all-functions selector and whether they can be scoped more narrowly. 4) Confirm the contract address and RPC endpoint are legitimate and intended. If you test this, use an empty test account and minimal funds on the testnet, run the code in an isolated/sandbox environment, and consider having the author publish a provenance/homepage and explicit install/auth instructions before trusting it with real funds.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Kite AI Agent Smart Wallet Protocol V3
简介
用户直接通过OpenClaw(Telegram)控制Kite AI链上钱包,无需自己运行Bot。
架构
用户(Telegram) → OpenClaw → Kite AI合约
│
└── OpenClaw执行操作
功能
- 钱包创建
- 余额查询
- 转账
- Session Keys管理
- 消费限额
命令
所有命令以 /kite 开头:
| 命令 | 功能 |
|---|---|
| /kite help | 帮助 |
| /kite create | 创建钱包 |
| /kite wallet | 查看地址 |
| /kite balance | 查看余额 |
| /kite send <地址> <数量> | 转账 |
| /kite session add <地址> <限额> | 添加授权 |
| /kite limit set <数量> | 设置限额 |
网络
- 测试网: Chain ID 2368
- RPC: https://rpc-testnet.gokite.ai
合约
- AgentSmartWalletFactory:
0x0fa9F878B038DE435b1EFaDA3eed1859a6Dc098a
版本
- v3.0.0 (2026-02-25): OpenClaw集成,直接TG控制
- v2.0.x: 用户本地运行Bot版本
- v1.0.0: 基础合约
Files
6 totalSelect a file
Select a file to preview.
Comments
Loading comments…