Vincent - A secure wallet for your agent
v1.0.0Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction. Also supports raw signing and polymarket betting.
⭐ 0· 1.2k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md: the instructions implement a remote smart-account wallet API (create wallet, get address, check balances, transfer, swap, raw signing). This is coherent for a wallet skill. However the skill depends entirely on an external service (heyvincent.ai) and the registry metadata lists no source/homepage — a transparency/trust gap worth noting.
Instruction Scope
Instructions are narrowly about calling the external API with a Bearer token and do not instruct reading unrelated system files or environment variables. But the skill's runtime instructions enable broad capabilities (arbitrary transactions, raw signing, swaps, Polymarket bets). Those capabilities are within the stated purpose but are high-impact: an agent with the API key can move funds or sign messages. The SKILL.md also instructs storing credentials in ~/.openclaw/credentials/agentwallet/<API_KEY_ID>.json (or working dir), which is a filesystem path the skill will rely on even though the registry declared no required config paths.
Install Mechanism
This is instruction-only with no install spec and no code files — lowest install risk. All network activity is performed by curl examples calling an external API; no archive downloads or package installs are present.
Credentials
The skill declares no required environment variables or credentials, but the instructions require and rely on an API key (Bearer token) produced by the service and advise storing it on disk. The registry metadata lists no required config paths, yet the SKILL.md explicitly references ~/.openclaw/credentials/agentwallet/<API_KEY_ID>.json — this mismatch (no declared config required vs. SKILL.md path guidance) is an inconsistency. Asking an agent to manage an API key that can authorize financial transactions is a high-privilege secret; the skill should have been explicit about how keys are protected and scoped.
Persistence & Privilege
always:false (good). disable-model-invocation:false (default) means an agent can call the skill autonomously; combined with wallet actions this increases risk because an autonomous agent could execute transfers or sign messages if it obtains the API key. The skill does not request or modify other skills or global agent configs.
What to consider before installing
This skill appears to implement exactly what it says (a remote wallet API) but you should proceed cautiously: 1) Trust and provenance: the source/homepage are missing — verify who runs heyvincent.ai, review their security/privacy docs, code audits, and key handling policies before putting real funds behind it. 2) API key risk: the API key (Bearer token) grants financial authority — store it securely, limit its scope, and prefer short‑lived keys or revocation controls. The SKILL.md suggests storing keys at ~/.openclaw/credentials/agentwallet/… even though the registry lists no config paths; confirm where keys will be written and who/what can read them. 3) Autonomous actions: because the agent can invoke the skill autonomously, explicitly require interactive confirmation for any transfer/swap/sign operation or restrict the agent to read-only actions unless you approve transactions. 4) Least privilege: use this skill only with small test funds and tightly scoped spending policies until you have audited the service. 5) Ask the publisher for missing info that would raise confidence: source code or repo, security audit, API key scopes/permissions, how private keys are generated/rotated/revoked, data retention and telemetry, and exact policy controls available to limit agent actions.Like a lobster shell, security has layers — review code before you run it.
latestvk979apqaxn60g8ta65armnj9ts80jkb1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.