ClawHub

Engine miner Wallet

OpenClaw-installable Taproot-first wallet scaffold for Engine miner.

Install

openclaw plugins install clawhub:@kerimatalayturkish-dotcom/engine-miner-openclaw-wallet

Engine miner OpenClaw Wallet Plugin

Purpose: local scaffold for an OpenClaw-installable, Taproot-first wallet plugin for Engine miner.

This package is intentionally a scaffold.

What exists now:

  • native OpenClaw plugin package structure
  • openclaw.plugin.json manifest
  • installable runtime entry at index.js
  • passphrase-encrypted local secret storage for every platform
  • agent-visible wallet creation with explicit seed-phrase warning and one-time recovery display
  • BIP86 Taproot payout-address derivation
  • admin entrypoint for manual wallet initialization and inspection
  • placeholder claim tools that expose the intended claim-first interface
  • standalone companion skill prepared for separate ClawHub publishing

What does not exist yet:

  • secure keystore integration
  • PSBT construction or signing
  • Engine miner API integration
  • Alkanes claim transaction validation
  • Bitcoin broadcast integration

Folder Layout

engine-miner-wallet/
  admin.js
  package.json
  openclaw.plugin.json
  index.js
  lib/
    keystore.js
    taproot.js
    wallet-core.js
  README.md
  SECURITY.md

Current Tool Surface

  • engine_miner_wallet_create
  • engine_miner_wallet_status
  • engine_miner_wallet_get_payout_address
  • engine_miner_wallet_sign_registration_challenge
  • engine_miner_wallet_list_claimable_rewards
  • engine_miner_wallet_prepare_claim
  • engine_miner_wallet_sign_prepared_claim
  • engine_miner_wallet_broadcast_prepared_claim

The wallet creation, status, payout-address, and registration-signing tools are real.

The claim tools still return scaffold metadata only.

Registration signing details:

  • signs with the same BIP86 Taproot identity key as the payout address
  • canonical payload includes challenge, expiry, optional domain, network, address, x-only pubkey, and derivation path
  • payload is hashed with the tag EngineMinerRegistrationChallenge/v1
  • signature format is BIP340 Schnorr in hex encoding

Bitcoin and Alkanes boundary:

  • this wallet is still a Bitcoin wallet at the custody and signing layer
  • it can be used for Alkanes flows because Alkanes actions settle through Bitcoin transactions rather than a separate chain wallet

Wallet Creation And Admin Command

The wallet can now be initialized either through the agent-visible engine_miner_wallet_create tool or through the local admin command.

Agent-visible creation rules:

  • requires ENGINE_MINER_WALLET_PASSPHRASE to be set locally before runtime use
  • should only be used after warning the user that the recovery phrase will be shown once in chat
  • the user must store that recovery phrase offline immediately

The local admin command remains useful for manual setup and recovery-sensitive workflows.

Examples:

npm install
npm run build
setx ENGINE_MINER_WALLET_PASSPHRASE "choose-a-strong-passphrase"
node .\dist\admin.js init --network mainnet --passphrase "choose-a-strong-passphrase"
node .\dist\admin.js status
node .\dist\admin.js address

Portable encrypted-file mode:

node .\dist\admin.js init --network signet --passphrase "choose-a-strong-passphrase"
node .\dist\admin.js address --passphrase "choose-a-strong-passphrase"

Runtime environment variables:

  • ENGINE_MINER_WALLET_STATE_DIR overrides the wallet storage directory
  • ENGINE_MINER_WALLET_PASSPHRASE is required to initialize or unlock the wallet for admin commands or OpenClaw runtime use

OpenClaw install behavior:

  • the runtime no longer depends on child_process or PowerShell shell execution
  • this avoids the default OpenClaw install block that flagged shell execution as dangerous code

Local Install Shape

This package is structured so it can be installed into OpenClaw as a local plugin package.

For local path installs, the bundled dist/ entrypoints are the supported runtime shape.

It is also prepared for ClawHub code-plugin publishing under the package name @kerimatalayturkish-dotcom/engine-miner-openclaw-wallet.

Typical local install flow:

openclaw plugins install "C:\path\to\engine-miner-openclaw-wallet"

ClawHub publish flow:

clawhub login
clawhub whoami
npm pack
$tgz = (Resolve-Path ".\kerimatalayturkish-dotcom-engine-miner-openclaw-wallet-0.1.2.tgz").Path
clawhub package publish "$tgz" --family code-plugin --owner kerimatalayturkish-dotcom --source-repo kerimatalayturkish-dotcom/engine-miner-openclaw-wallet --source-commit YOUR_COMMIT_SHA --source-ref main --dry-run
clawhub package publish "$tgz" --family code-plugin --owner kerimatalayturkish-dotcom --source-repo kerimatalayturkish-dotcom/engine-miner-openclaw-wallet --source-commit YOUR_COMMIT_SHA --source-ref main --clawscan-note "Taproot-first Engine miner wallet plugin. Stores secrets locally with passphrase-encrypted storage, shows recovery phrases only after explicit confirmation, refuses arbitrary sends, and only exposes narrow Engine miner registration and claim flows."

Windows note:

  • if clawhub package publish <folder> fails with spawnSync npm ENOENT, publish the packed .tgz artifact instead
  • this avoids the Windows folder-packaging path that tries to spawn npm internally
  • ClawHub may also require explicit source provenance for code plugins; for this repo, pass --source-repo, --source-commit, and --source-ref
  • on this Windows shell, clawhub accepted the tarball only when passed as an absolute path resolved through Resolve-Path

Companion standalone skill publish flow:

clawhub skill publish ".\skills\engine-miner-wallet" --owner kerimatalayturkish-dotcom --slug engine-miner-wallet --version 0.1.2

Then enable it in ~/.openclaw/openclaw.json:

{
  "plugins": {
    "entries": {
      "engine-miner-wallet": {
        "enabled": true,
        "config": {
          "network": "mainnet",
          "policyMode": "claim_only",
          "walletStateDir": "C:\\Users\\yasha\\.engine-miner-wallet",
          "engineMinerApiUrl": "https://example.com/api",
          "alkanesProviderUrl": "https://mainnet.subfrost.io/v4/jsonrpc",
          "requireBroadcastConfirmation": true,
          "maxFeeSats": 5000
        }
      }
    }
  }
}

Restart the gateway after installation.

ClawHub Security Posture

This package has been tightened for a safer ClawHub install experience:

  • scoped package name matches the intended publisher handle: @kerimatalayturkish-dotcom/...
  • required OpenClaw compatibility metadata is present in package.json
  • packaged files are restricted through the files allowlist
  • wallet creation through the agent requires explicit confirmation before the recovery phrase is shown
  • arbitrary send-anywhere wallet actions are not exposed
  • registration and claim flows are constrained by purpose and policy

Current limitation:

  • this wallet still does not perform Engine miner puzzle solving or backend mining orchestration; mining requires a separate Engine miner server connector or MCP surface

See ./SECURITY.md for the end-user security checklist and publish guidance.

Why The Scaffold Is Claim-First

Engine miner agents should not receive a generic send-anywhere Bitcoin wallet.

This package is designed to become:

  • Taproot-first
  • claim-focused
  • safe enough for OpenClaw agents
  • Engine miner-specific rather than a universal wallet

Next Implementation Steps

  1. add claim receipt verification
  2. add PSBT validation and signing
  3. add Bitcoin broadcast provider integration

See ../docs/ENGINE-MINER-OPENCLAW-TAPROOT-WALLET-PLUGIN.md for the full architecture.