ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pocket-money

Give your AI agent crypto wallets on Base. Create purpose-specific wallets, ask your human to fund each one, check balances, and manage budgets. No accounts,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 382 · 0 current installs · 0 all-time installs
byOperator @ AutEng AI@operator-auteng-ai
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with the requested artifacts: node/npm are required for the @auteng/pocket-money package, and the skill expects a local config directory .auteng/wallets/ where wallets are stored. No unrelated credentials or bizarre binaries are requested.
!
Instruction Scope
The SKILL.md instructs creating, loading, and storing private keys as unencrypted JSON at .auteng/wallets/<name>.json (0600). It also instructs the agent to poll the Base RPC and to wait for funding. The document relies on the human for explicit approval before spending, but that is procedural (not enforced technically). There is no instruction-level protection preventing an agent or installed code from programmatically signing and sending transactions without human confirmation.
!
Install Mechanism
Install is via an npm package (@auteng/pocket-money). Installing an npm package grants arbitrary code execution on the host at install/runtime; this is expected for a Node-based skill but is a meaningful risk because the package will have access to wallet files and could exfiltrate keys. The package source is referenced in SKILL.md (GitHub and npm links), which helps reviewability, but the registry metadata lacked a homepage entry — you should verify the package identity and inspect source before installing.
Credentials
No environment variables or unrelated credentials are requested. The only filesystem access declared is the .auteng/wallets/ path where wallet JSONs are stored. That is consistent with the stated functionality, but the data stored there (private keys) is highly sensitive, so minimality of requested variables doesn't remove the risk.
!
Persistence & Privilege
always:false (good). The skill can be invoked autonomously (platform default). Combined with an installed npm package that can access and sign with local private keys, autonomous invocation increases blast radius: the agent or package could sign/send transactions programmatically. SKILL.md relies on human approval but cannot technically enforce it.
What to consider before installing
This skill is coherent with its stated aim (creating local Base/USDC wallets), but it has security-sensitive components you should review before installing: 1) Inspect the @auteng/pocket-money package source on GitHub and the npm package contents (including dependencies and postinstall scripts). 2) Do not fund these wallets with more than a small, reviewed amount — treat them as petty cash. 3) Consider requiring encrypted keystores or a hardware signing flow rather than unencrypted JSON files on disk; if you must use these files, keep strict filesystem permissions and backups off the machine. 4) Confirm the RPC endpoints (mainnet.base.org) and whether gas in ETH is actually required — the SKILL.md claim that "no ETH needed for gas" may be inaccurate on Base unless a gas-sponsorship mechanism is used. 5) If possible, run the npm package in a sandboxed environment or audit it first; pin to a specific package version and vendor. 6) Be aware that the agent can be invoked autonomously; if you want to prevent accidental spending, restrict autonomous invocation for this skill or ensure that human approval can be enforced by policy. If you cannot audit the package and accept these risks, proceed cautiously; otherwise, treat this skill as potentially dangerous.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.0
Download zip
latestvk979035j5qz4sdb7v8vhk96tq981s5r5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm
Config.auteng/wallets/

Install

Nodenpm i -g @auteng/pocket-money

SKILL.md

Pocket Money — Fund Your Agent's Wallets

You have a tool that lets you create and manage crypto wallets (USDC on Base). Each wallet is a separate keypair with its own balance — create one per purpose or budget.

Package: @auteng/pocket-money — published by AutEng (source on GitHub).

Setup (first time only)

Install the pocket-money library:

npm install @auteng/pocket-money

Creating a Wallet

Create a named wallet for each purpose or budget:

import { wallet } from '@auteng/pocket-money';

const w = await wallet.create({ name: "feb-2026" });
console.log(w.address); // 0xABC123...

If a wallet with that name already exists on disk, it loads it. Each wallet is stored at .auteng/wallets/<name>.json.

You can also create a quick default wallet:

const w = await wallet.create();

Network

// Base mainnet (default)
const w = await wallet.create({ name: "prod" });

// Base Sepolia testnet
const w = await wallet.create({ name: "test", network: "base-sepolia" });

Requesting Funding

When you need money, ask your human to fund a specific wallet:

I need $12 in USDC for today's tasks.

Please send USDC on **Base** to this address:
`0xABC123...` (wallet: "feb-2026")

You can send from Coinbase, an exchange, or any wallet that supports Base.

Be specific about:

  • How much you need and why (e.g., "$5 for API calls", "$20 for a batch processing job")
  • Which wallet (by name) so both you and your human can track budgets
  • The network: always Base (not Ethereum mainnet, not Arbitrum)
  • The token: USDC (not ETH, not other tokens)

Waiting for Funding

After asking, wait for the USDC to arrive:

await w.waitForFunding(12_000000n);
// Polls Base every 10s until >= 12 USDC is available

With a timeout:

await w.waitForFunding(12_000000n, { timeout: 120_000 });
// Throws after 2 minutes if balance < $12

Tell your human you're waiting — they may need a minute to complete the transfer.

Human Approval Before Spending

IMPORTANT: Before making any payment, you MUST:

  1. Tell your human exactly what you're about to spend and why
  2. Show the estimated cost
  3. Wait for explicit human approval before proceeding

Example:

I'd like to call an x402 API endpoint.

  Service: api.example.com/generate
  Cost:    ~$0.05 per request
  Wallet:  "feb-2026" ($0.98 remaining)

OK to proceed?

Never batch multiple paid operations without listing them first. If running a loop of paid calls, present the total estimated cost upfront and get approval for the batch.

Managing Wallets

// Retrieve an existing wallet by name
const w = wallet.get("feb-2026");

// List all wallets
const all = wallet.list();
for (const w of all) {
  const bal = await w.checkBalance();
  console.log(`${w.name}: ${w.address} — ${bal} USDC`);
}

// Check balance
const balance = await w.checkBalance();
// Returns USDC in minor units (6 decimals)
// e.g., 12_000000n = $12.00

If running low, ask your human for more funding before expensive operations.

Security & Storage

Private keys: Wallet private keys are stored as unencrypted JSON at .auteng/wallets/<name>.json with restricted file permissions (0600). These keys can sign USDC payment authorizations. If the file is leaked or the machine is compromised, funds in that wallet can be stolen. Treat wallet files like passwords.

Network access: This skill makes outbound HTTPS requests to:

  • Base RPC (mainnet.base.org) — to check USDC balances

Mitigations:

  • Always get human approval before any operation that spends funds
  • Only fund wallets with small amounts appropriate for the task — treat them as petty cash, not savings
  • Create separate wallets for separate budgets so you and your human can track spending
  • Your wallets only need USDC on Base — no ETH needed for gas

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…