Stellar Agentic Wallet
v1.7.0A Stellar USDC wallet skill for AI agents. Pay for 402-gated APIs via MPP Router or x402 facilitators, check balances, manage USDC trustlines, swap XLM→USDC...
⭐ 0· 109·0 current·0 all-time
byShawn Muggle@shawnmuggle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (wallet, trustlines, swaps, bridge, pay-per-call) match the included scripts and listed network endpoints (Horizon, Soroban RPC, MPP Router, Rozo). Declared npm deps (@stellar/stellar-sdk, mppx, tsx) are appropriate for the Node-based Stellar functionality.
Instruction Scope
Runtime docs and scripts stay on-topic (loading a secret file or env fallback, checking balances, adding trustlines, swapping, creating Rozo intents). Important behaviors to notice: the code will fall back to legacy env keys if present, audits .gitignore, and can write an autopay-ceiling comment into the secret file to enable silent payments below that ceiling — those file reads/writes are within the wallet's purpose but are noteworthy security-affecting actions. The skill can pay any 402 URL you point it at unless you use the --expect-* protections; the README explicitly warns about this.
Install Mechanism
No install spec is provided (instruction-only install), and the package.json lists standard npm dependencies from the registry. There are no downloads from untrusted servers or embedded installers in the manifest.
Credentials
The skill does not request unrelated environment variables or cloud credentials. Secrets are handled via a local file (.stellar-secret) by design; the code documents this and validates format. It also recognizes legacy env vars as a fallback, which is reasonable but should be understood by installers.
Persistence & Privilege
always:false and agent-autonomy defaults are normal. The skill will persist an 'autopay-ceiling' as a comment inside the user's secret file if the user opts in, enabling future silent signing under that ceiling (logged to stderr). The skill does not appear to modify other skills or global agent config.
Assessment
This appears to be a legitimate Stellar wallet skill, but it controls a signing key so treat it like money: (1) Use a dedicated hot wallet with a small balance, not your main account. (2) Generate and keep the secret in the recommended file (.stellar-secret with mode 600); avoid pasting secrets into UIs. (3) Run on testnet first (pass --network testnet) to confirm flows. (4) Be cautious with pay-per-call: the skill will pay any 402 endpoint you point it at unless you pass --expect-pay-to/--expect-amount to verify recipient and price. If you accept the autopay ceiling option, the skill will write a comment into your secret file and will silently sign payments at-or-below that ceiling — only enable this if you trust the calling flow. (5) Review the included scripts (especially scripts/src/secret.ts and pay-per-call/send-payment code) yourself or verify the upstream repository before using with real funds; note the SKILL.md includes a repository/homepage reference while the registry metadata listed 'source: unknown' — consider checking that repo for release history. (6) If you need the agent to operate autonomously, accept that it can propose payments; rely on the explicit confirmation gates and use expect-* flags to mitigate redirect/exfiltration risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97ah5rc42bmg43fxkytmsxta584wn39
License
MIT-0
Free to use, modify, and redistribute. No attribution required.