GoodWallet

v1.5.6

Crypto wallet for sending, swapping, trading perps, betting on Polymarket, earning DeFi yield, and signing across EVM, Solana, Bitcoin, Doge, and XRP. Use wh...

⭐ 0· 270·0 current·0 all-time

byPeter Emil Jensen@peteremiljensen

Security Scan

Capability signals

CryptoRequires walletRequires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description (multi-chain wallet, signing, swapping, etc.) aligns with requirements: the skill requires node and installs a goodwallet CLI via npm. No unrelated credentials or tools are requested. Declared local config path (~/.config/goodwallet/) and external co-signer domains are coherent with a wallet that uses MPC and a remote signer.

✓

Instruction Scope

SKILL.md limits runtime actions to running the goodwallet CLI (update, auth, balances, send, swap, sign) and explicitly requires confirmation before state-changing or signing commands. It does not instruct reading arbitrary host files or environment variables outside the wallet config path.

ℹ

Install Mechanism

Install is an npm package (goodwallet) that installs a CLI binary — expected for a Node-based tool. NPM installs are a moderate supply-chain risk because code will be downloaded and executed at install/run time; however, the metadata points to a GitHub repo and the official npm page, which helps traceability.

ℹ

Credentials

No environment variables or external credentials are requested (browser OAuth is used), which is proportionate. The skill will store encrypted MPC key shares and auth tokens in ~/ .config/goodwallet/, which is sensitive but expected for a wallet. The agent will interact with external domains (sign.goodwallet.dev, agent.goodwallet.dev) — appropriate for a remote co-signer but worth user scrutiny.

✓

Persistence & Privilege

The skill is not always-enabled and uses default autonomous-invocation settings; it installs its own CLI binary but does not request system-wide configuration changes or other skills' credentials. No excessive persistence or privilege escalation is requested in the manifest.

Scan Findings in Context

[no-code-files-to-scan] expected: The skill is instruction-only (only SKILL.md present), so the static regex scanner had no package files to analyze. However, the install step pulls an npm package at install time; that package's code was not available to the scanner and could contain additional behavior.

Assessment

This skill appears to be what it claims (a CLI crypto wallet) but take normal crypto and supply-chain precautions before installing: 1) Verify the npm package publisher and the linked GitHub repo (look at recent commits, stars, and issues) and confirm the homepage/domains match the project; 2) Understand that installing will download and run code from npm — consider inspecting the package (npm pack / unpack) or reviewing its source before running; 3) The wallet stores encrypted MPC key shares and auth tokens under ~/.config/goodwallet/ and will call remote co-signer services (sign.goodwallet.dev, agent.goodwallet.dev) to complete signatures — treat these services as sensitive and verify TLS and operator reputation; 4) Require explicit user confirmation for any send/swap/sign operation and consider using a dedicated or sandboxed environment for initial testing; 5) If you need higher assurance, ask for the exact npm package checksum or a signed release and/or review the upstream source code before trusting it with real funds.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

👛 Clawdis

Binsnode

Install

Install Goodwallet CLI (npm)

Bins: goodwallet

npm i -g goodwallet

latestvk976a72q0qgb3yyx3ssxrjevdh84vj7e

270downloads

0stars

8versions

Updated 9h ago

v1.5.6

MIT-0

Goodwallet

Crypto wallet CLI. Run goodwallet --help for the latest commands, flags, chains, and usage.

Update

Before running any other command, check for updates:

goodwallet update — check for a new version.
If outdated, run goodwallet update --install before proceeding.

Rules

Summarize outcomes in plain language; don't dump raw CLI output unless asked.
Never fabricate values. Only report what the CLI returns.
Read before write: inspect balances/quotes/positions before proposing any state-changing action.
Confirm before executing any command that moves funds or creates exposure: send, swap --execute, trade --deposit/--withdraw/--market, bet --deposit/--withdraw/--market, earn --deposit/--withdraw, and every sign command.
Don't reveal internal wallet details unless the user asks.

Auth

goodwallet auth — show the returned URL to the user.
goodwallet auth --pair — run immediately; polls until the browser flow completes.
goodwallet auth --logout — disconnect.

Signing Safety

All credentials and MPC key shares are stored locally at ~/.config/goodwallet/. No full private key ever exists — only a single MPC key share is stored on device. Signing uses 2-party MPC with a remote co-signer at sign.goodwallet.dev (operated by GoodDollar). The agent API at agent.goodwallet.dev issues signing room UUIDs and enforces transaction-policy checks (token allowlists, spend limits, malicious-contract detection) before co-signing, so most harmful payloads are rejected server-side. Both services communicate over HTTPS/WSS. Still, confirm with the user before running any sign command so they understand what they're approving.

Error Recovery

Auth timeout → restart auth + auth --pair.
Insufficient funds → suggest checking balances or reducing amount.
No swap route → suggest different token, amount, or chain.
Any other failure → report the error plainly, don't retry automatically.

Comments

Loading comments...