ClawHub

cdnsoft-wallet

v0.3.4

EVM wallet tool for autonomous agents with built-in accountability. Creates, signs, and broadcasts ETH and ERC20 transfers on any EVM-compatible chain, then...

2· 130·0 current·0 all-time
by@cromatikap
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided scripts and SKILL.md. The tool performs on-chain signing, RPC calls, x402 payment flows, and local logging; those actions require a wallet key and RPC URL passed as CLI args, which is appropriate for a wallet skill.
Instruction Scope
Runtime instructions are explicit about required inputs (--wallet-key, --rpc, --output) and warn about safety (--max-amount, ask your human). The SKILL.md does not instruct the agent to read unrelated system files or environment variables, nor to exfiltrate secrets to external endpoints beyond the target RPC/API URLs the user supplies.
Install Mechanism
No installer downloads or post-install hooks are present; dependencies are standard Python packages (eth-account, requests). The skill is instruction-and-script-only, so nothing external is fetched by the install spec in the provided bundle.
Credentials
The skill requests no environment variables or hidden credentials. It explicitly requires a wallet JSON file (private_key) and RPC/API endpoints at runtime — these are necessary and proportionate for signing and broadcasting transactions and for x402 flows.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not modify other skills. It can be invoked autonomously by agents (platform default); because it can sign and broadcast transactions if given a private key, you should only provide wallet keys when you trust the agent and limit allowed spend (use --max-amount / --pay-to).
Assessment
This skill appears to do exactly what it says: sign and broadcast EVM transactions and log them locally. Key safety notes before installing or running: (1) Never give an agent your main/private wallet file unless you fully trust it — prefer a dedicated, funded test or merchant wallet with limited balance. (2) Always pass --output to a path you control, and set file permissions (chmod 600) on wallet JSON. (3) For x402 flows, always use --max-amount and (when practical) --pay-to to avoid unexpected payouts. (4) Review the scripts yourself (they are included) and test with a small transaction on a testnet or a tiny balance before any production use. (5) If you want stricter protection, use a hardware wallet or signing service that disallows arbitrary transaction broadcasting.

Like a lobster shell, security has layers — review code before you run it.

latestvk974x9swdxtzemw8pgjc7z5zxh8458vh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments