Portal Wallet
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
Install only if you intend to let OpenClaw interact with a Portal crypto wallet. Start with test funds, configure Portal signature-approval webhooks and spending limits, keep the API key and MPC shares out of source control, and manually verify every transaction before approval. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent signs or sends the wrong transaction, crypto funds may be lost or transferred irreversibly.
The skill documents direct API calls that can send cryptocurrency using the user's MPC share. This is purpose-aligned for a wallet skill, but it is a high-impact action if misused.
curl -s -X POST 'https://mpc-client.portalhq.io/v1/assets/send' ... '{share: $share, chain: "monad", to: $to, token: "NATIVE", amount: $amount...}'Only approve transactions after checking the recipient, chain, asset, amount, and simulation result. Use spending limits and a signature-approval webhook before funding the wallet.
Leaking the API key and a share could let someone else sign transactions from the wallet.
The setup guide clearly states that the Portal client API key plus an MPC share grants signing authority. This is expected for the integration but creates a strong credential boundary.
anyone with the client API key AND a share can sign transactions
Store these values like wallet private keys, keep openclaw.json out of source control, rotate credentials if exposed, and avoid using production funds until policy controls are configured.
A bad prompt or unsafe agent behavior could translate into real financial loss if the wallet is funded without containment.
The documentation acknowledges that agent compromise or prompt injection could lead to unauthorized wallet actions unless an external policy gate is used.
Without a signature approval webhook, this skill should only be used on test wallets with negligible balances. Prompt injection of the agent could otherwise result in unauthorized transactions.
Configure Portal signature approvals, spending caps, allowlisted recipients, and chain restrictions before using non-trivial funds.