pocket-money
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about creating crypto wallets for small budgets, but users should treat the local wallet files as real spending credentials.
Use this only for small, purpose-specific crypto budgets. Before installing, understand that it stores unencrypted wallet private keys locally under .auteng/wallets/, and anyone with access to those files may be able to spend the wallet funds. Review or trust the @auteng/pocket-money npm package before funding wallets, and require explicit approval before every payment or paid batch.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the wallet files may be able to spend the USDC held in those wallets.
The skill stores credentials that can control real crypto funds. This is disclosed and scoped to wallet files, but those files are equivalent to spending keys.
Wallet private keys are stored as unencrypted JSON at `.auteng/wallets/<name>.json` with restricted file permissions (0600). These keys can sign USDC payment authorizations.
Only fund these wallets with small task-specific amounts, protect the .auteng/wallets directory, and move funds out if you suspect the files were exposed.
If a funded wallet is used incorrectly, the agent could spend real USDC from that wallet.
The skill contemplates paid operations using agent-controlled wallets. It includes an explicit human-approval instruction, which is appropriate, but spending authority is still a sensitive capability.
Before making any payment, you MUST: ... Wait for explicit human approval before proceeding
Require a clear cost estimate and explicit approval for each payment or batch, and keep funded balances low.
The installed npm package will handle wallet creation and private keys, so its integrity matters.
The core wallet functionality comes from an external npm package, while the provided artifact set contains only SKILL.md and VERSION.txt. This is normal for a package-backed skill, but the package code was not available in the submitted artifacts.
npm install @auteng/pocket-money
Install from the expected package source, review the package or repository if possible, and consider pinning a known version in controlled environments.