Reva
v0.1.5Complete Reva wallet management - passwordless authentication, PayID name claiming, multi-chain crypto transfers to PayIDs or wallet addresses, balance track...
⭐ 2· 556·0 current·0 all-time
byredd@pax47
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Reva wallet management, passwordless auth, PayID, multi-chain transfers) align with the scripts and runtime instructions. All network calls are to api.revapay.ai and the scripts implement login/verify, claim payid, get-balance, get-user-info, send-message, and transfer-funds as described.
Instruction Scope
SKILL.md and scripts are focused on the wallet workflow. The skill asks for user email/OTP and stores an access token for subsequent calls; it will transmit email, OTP, token, recipient and amount to revapay.ai endpoints. It does not attempt to read unrelated system files, environment variables, or other credentials. Note: the skill stores token and some state under $HOME/.openclaw/payid and posts data to the external revapay.ai API as part of normal operation.
Install Mechanism
No install/download steps; code is instruction-only with included shell scripts. Dependencies declared (jq, curl) are reasonable for the tasks performed. No remote downloads or archives are executed by an installer.
Credentials
No environment variables or unrelated credentials are requested. The scripts write and read token/state under $HOME/.openclaw/payid (auth.json, room_state.txt) — this is proportional for storing session tokens and state. All network requests go to the service domain in the skill description.
Persistence & Privilege
always: false and the skill does not modify other skills or system-wide settings. It persists only its own state under the user's home directory (~/.openclaw/payid). Files are created with restrictive permissions (700 for dir, 600 for auth file/room state) which is appropriate for stored tokens.
Assessment
This skill appears to do what it says: it will send your email/OTP and transaction requests to https://api.revapay.ai and store an access token and small state under ~/.openclaw/payid. Before installing: 1) Confirm you trust revapay.ai and its privacy/security practices (this skill sends sensitive auth and transaction data to that domain). 2) Ensure jq and curl are available. 3) Be careful when authorizing transfers — verify recipient and amount because blockchain transfers are irreversible. 4) Note the token is stored on disk (auth.json) with restrictive permissions; if you share a machine, consider whether that storage is acceptable. 5) If you need higher assurance, review the remote service's docs or contact the vendor to confirm endpoints and behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97220menh4w8acdhtarmfz5nn81vwv9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.