2026 02 10 Clawhub Base Wallet 1.5.0
v1.0.0π Base Wallet - Crypto Identity for AI Agents. Create wallets, sign messages (SIWE), send transactions programmatically. No browser extensions, no human intervention. The foundation for autonomous Web3 agents.
β 1Β· 863Β·0 currentΒ·0 all-time
by@pin-alt
MIT-0
Download zip
LicenseMIT-0 Β· Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (create wallets, sign SIWE, send txs) matches the included scripts (create-wallet.js, basemail-register.js, check-balance.js) and the documented RPC/API endpoints. Dependencies (ethers) are appropriate for an Ethereum-compatible wallet.
Instruction Scope
SKILL.md and scripts stick to wallet operations, SIWE auth, balance checks, and BaseMail API calls. The runtime instructions reference environment variables and file paths used by the scripts (e.g., PRIVATE_KEY, MNEMONIC, WALLET_DIR, ~/.openclaw, ~/.base-wallet). This is expected, but the registry metadata lists no required env vars while the scripts do rely on themβusers should be aware which env vars the skill will actually read and which files it writes.
Install Mechanism
No install spec (instruction-only) and package.json/package-lock simply declare 'ethers' from the public npm registry. That is proportionate to the functionality; no third-party download URLs or extract steps are present.
Credentials
The skill does not declare required env vars in registry metadata, but the code expects PRIVATE_KEY, MNEMONIC, and optionally WALLET_DIR/HOME. Requesting private keys is appropriate for a wallet skill, but because credentials control funds the user must supply them intentionally and securely. The scripts write managed keys to ~/.openclaw/wallets (if --managed) and create audit logs in ~/.base-wallet/audit.log.
Persistence & Privilege
The skill writes wallet files and audit logs to user home directories (~/.openclaw and ~/.base-wallet) and may update managed wallet files with BaseMail metadata. It does not request always:true or attempt to modify other skills or system-wide agent configs. Keep in mind that if the agent is allowed to invoke the skill autonomously, it will be capable of creating and spending wallets (a real financial capability).
Assessment
This skill appears to do what it says: create wallets, sign SIWE, check balances and register with BaseMail. Before installing or running: 1) Treat it like software that controls real money β do not give it your production private keys or fund wallets you don't control. 2) Prefer --env mode and keep PRIVATE_KEY in a secure secret store; if you use --managed, expect files at ~/.openclaw/wallets/*.json and a mnemonic backup file, and ensure those files are protected (600/400 perms) and excluded from git. 3) Review the code (itβs small) and verify the BaseMail API URL and endpoints (the script calls /api/auth/start while docs mention /api/auth/nonce); validate network calls if you have strong security requirements. 4) Consider running the skill in a sandboxed environment or with a test wallet first. 5) Be cautious enabling autonomous agent invocation: an autonomous agent with this skill can create and sign transactions β that capability should only be granted if you trust the agent and have spending controls in place.Like a lobster shell, security has layers β review code before you run it.
latestvk9713an22nt9ddzgnw8rvw32h58114sd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.