Portal Wallet
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: portal-wallet Version: 1.1.0 The portal-wallet skill provides a legitimate interface for managing MPC-secured cryptocurrency wallets via the Portal HQ API. It includes comprehensive security instructions for the AI agent, such as mandatory user confirmation, address validation, and explicit defenses against prompt injection. All network requests are directed to official Portal endpoints (api.portalhq.io and mpc-client.portalhq.io), and the use of jq for JSON construction follows best practices to mitigate injection risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent signs or sends the wrong transaction, crypto funds may be lost or transferred irreversibly.
The skill documents direct API calls that can send cryptocurrency using the user's MPC share. This is purpose-aligned for a wallet skill, but it is a high-impact action if misused.
curl -s -X POST 'https://mpc-client.portalhq.io/v1/assets/send' ... '{share: $share, chain: "monad", to: $to, token: "NATIVE", amount: $amount...}'Only approve transactions after checking the recipient, chain, asset, amount, and simulation result. Use spending limits and a signature-approval webhook before funding the wallet.
Leaking the API key and a share could let someone else sign transactions from the wallet.
The setup guide clearly states that the Portal client API key plus an MPC share grants signing authority. This is expected for the integration but creates a strong credential boundary.
anyone with the client API key AND a share can sign transactions
Store these values like wallet private keys, keep openclaw.json out of source control, rotate credentials if exposed, and avoid using production funds until policy controls are configured.
A bad prompt or unsafe agent behavior could translate into real financial loss if the wallet is funded without containment.
The documentation acknowledges that agent compromise or prompt injection could lead to unauthorized wallet actions unless an external policy gate is used.
Without a signature approval webhook, this skill should only be used on test wallets with negligible balances. Prompt injection of the agent could otherwise result in unauthorized transactions.
Configure Portal signature approvals, spending caps, allowlisted recipients, and chain restrictions before using non-trivial funds.