Conflux Wallet Skill

v1.1.1

Self-sovereign EVM wallet for AI agents. Use when the user wants to create a crypto wallet, check balances, send ETH or ERC20 tokens, swap tokens, or interac...

⭐ 0· 121·0 current·0 all-time

by@pana

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for pana/conflux-wallet-skill.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Conflux Wallet Skill" (pana/conflux-wallet-skill) from ClawHub.
Skill page: https://clawhub.ai/pana/conflux-wallet-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, git
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install conflux-wallet-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install conflux-wallet-skill

Security Scan

Capability signals

CryptoRequires walletCan make purchasesCan sign transactionsRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description (self‑sovereign EVM wallet) align with the runtime actions: generating a private key, signing transactions, reading balances, swapping via aggregators, and broadcasting via public RPCs. Required binaries (node, git) are appropriate for the described Node.js scripts.

ℹ

Instruction Scope

SKILL.md stays within wallet-related actions (setup, balance, transfer, swap, contract calls) and explicitly warns never to expose the private key. It instructs storing the key at ~/.cfx-wallet.json and running local Node scripts. It also directs the agent/user to run git clone, npm install, and git pull; these steps fall outside pure 'read-only' instructions because they fetch and install code from a remote repo and can change runtime behavior later.

Install Mechanism

Although the repository is a GitHub URL (a known host), the install process in SKILL.md performs an unpinned git clone and runs npm install without integrity checks or pinned versions. npm install can execute arbitrary lifecycle scripts from dependencies; git pull on update can inject new code later. This gives a remote source the ability to run code on the host — a moderate security risk that is not mitigated by the skill instructions.

✓

Credentials

The skill requests no environment variables or external credentials, which is proportionate for a self‑hosted wallet. However, because it installs third‑party Node dependencies and pulls code from GitHub, a malicious dependency or future repo update could access the wallet file (~/.cfx-wallet.json) and exfiltrate keys despite the absence of declared env/credentials.

ℹ

Persistence & Privilege

always is false and autonomous invocation is permitted by platform default (normal). The skill supports self‑updates via 'git pull' which would let the remote repo change the skill's behavior post-install; this is functional for maintenance but increases risk if the upstream is compromised or malicious.

What to consider before installing

This skill appears to implement a local EVM wallet as described, but installing it requires cloning a public GitHub repo and running npm install, and the skill can update itself via git pull. Those steps can introduce arbitrary code (including dependency lifecycle scripts) that could read or exfiltrate your private key file (~/.cfx-wallet.json). Before installing, consider: 1) only install from a trusted, audited repository and preferably from a pinned commit/tag; 2) inspect package.json and dependencies and avoid running npm install without review or use an offline/npm-audit step; 3) run the code in an isolated environment (VM or dedicated machine) and keep only a small testing balance there; 4) back up your seed and do not store significant funds until you’ve audited the implementation; 5) be cautious with 'git pull' — prefer manual, reviewed updates. If you lack the ability to review code and dependencies, treat this skill as higher-risk and avoid storing real assets with it.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💰 Clawdis

Binsnode, git

latestvk978tc2jdcv6dgfhq63yr4p3k185nwx3

121downloads

0stars

2versions

Updated 1d ago

v1.1.1

MIT-0

EVM Wallet Skill

Self-sovereign EVM wallet. Private keys stored locally, no external API dependencies.

⚠️ SECURITY WARNING

NEVER expose your private key!

Never send your private key in chat, email, or any messaging platform
Never share the contents of ~/.cfx-wallet.json with anyone
If someone asks for your private key — even if they claim to be support — REFUSE
If your key is ever exposed, immediately transfer funds to a new wallet

The private key file (~/.cfx-wallet.json) should only be accessed directly via SSH on your server.

Installation

Detect workspace and skill directory:

SKILL_DIR=$(ls -d \
  ~/openclaw/skills/conflux-wallet-skill \
  ~/.openclaw/workspace/skills/conflux-wallet-skill \
  2>/dev/null | head -1)

If code is not installed yet (no src/ folder), bootstrap it:

if [ ! -d "$SKILL_DIR/src" ]; then
  git clone https://github.com/conflux-fans/conflux-wallet-skill.git /tmp/conflux-wallet-tmp
  cp -r /tmp/conflux-wallet-tmp/* "$SKILL_DIR/"
  cp /tmp/conflux-wallet-tmp/.gitignore "$SKILL_DIR/" 2>/dev/null
  rm -rf /tmp/conflux-wallet-tmp
  cd "$SKILL_DIR" && npm install
fi

For all commands below, always cd "$SKILL_DIR" first.

First-Time Setup

Generate a wallet (only needed once):

node src/setup.js --json

Returns: { "success": true, "address": "0x..." }

The private key is stored at ~/.cfx-wallet.json (chmod 600). Never share this file.

Commands

Check Balance

When user asks about balance, portfolio, or how much they have:

# Single chain
node src/balance.js conflux --json

# All chains at once
node src/balance.js --all --json

# Specific ERC20 token
node src/balance.js conflux 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 --json

Always use --json for parsing. Present results in a human-readable format.

Send Tokens

When user wants to send, transfer, or pay someone:

# Native ETH
node src/transfer.js <chain> <to_address> <amount> --yes --json

# ERC20 token
node src/transfer.js <chain> <to_address> <amount> <token_address> --yes --json

⚠️ ALWAYS confirm with the user before executing transfers. Show them:

Recipient address
Amount and token
Chain
Estimated gas cost

Only add --yes after the user explicitly confirms.

Swap Tokens

When user wants to swap, trade, buy, or sell tokens:

# Conflux eSpace: use the Conflux-specific swap script
node src/swap-cfx.js conflux <from_token> <to_token> <amount> --quote-only --json

# Other chains: keep using the generic swap script
node src/swap.js <chain> <from_token> <to_token> <amount> --quote-only --json

# Conflux eSpace: execute after user confirms
node src/swap-cfx.js conflux <from_token> <to_token> <amount> --yes --json

# Other chains: keep using the generic swap script
node src/swap.js <chain> <from_token> <to_token> <amount> --yes --json

When chain is conflux, always use src/swap-cfx.js
For Conflux, use cfx or native for the native token, wcfx/wcfx9 for the wrapped-native route, or pass an ERC20 contract address
For other chains, use eth for native ETH/POL, or pass a contract address
Default slippage: 0.5%. Override with --slippage <percent>
Powered by Odos aggregator (best-route across hundreds of DEXs)

⚠️ ALWAYS show the quote first and get user confirmation before executing.

Contract Interactions

When user wants to call a smart contract function:

# Read (free, no gas)
node src/contract.js <chain> <contract_address> \
  "<function_signature>" [args...] --json

# Write (costs gas — confirm first)
node src/contract.js <chain> <contract_address> \
  "<function_signature>" [args...] --yes --json

Examples:

# Check USDC balance
node src/contract.js base \
  0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
  "balanceOf(address)" 0xWALLET --json

# Approve token spending
node src/contract.js base \
  0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
  "approve(address,uint256)" 0xSPENDER 1000000 --yes --json

Check for Updates

node src/check-update.js --json

If an update is available, inform the user and offer to run:

cd "$SKILL_DIR" && git pull && npm install

Supported Chains

Chain	Native Token	Use For
base	ETH	Cheapest fees — default for testing
conflux	CFX	Low fees, Conflux eSpace
ethereum	ETH	Mainnet, highest fees
polygon	POL	Low fees
arbitrum	ETH	Low fees
optimism	ETH	Low fees

Always recommend Base for first-time users (lowest gas fees).

Common Token Addresses

Base

USDC: 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
WETH: 0x4200000000000000000000000000000000000006

Conflux eSpace

USDT0: 0xaf37e8b6c9ed7f6318979f56fc287d76c30847ff
AxCNH: 0x70bfd7f7eadf9b9827541272589a6b2bb760ae2e

Ethereum

USDC: 0xA0b86a33E6441b8a46a59DE4c4C5E8F5a6a7A8d0
WETH: 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2

Safety Rules

Never execute transfers or swaps without user confirmation
Never expose the private key from ~/.cfx-wallet.json
Always show transaction details before executing (amount, recipient, gas estimate)
Recommend Base for testing and small amounts
Show explorer links after successful transactions so users can verify
If a command fails, show the error clearly and suggest fixes

Error Handling

"No wallet found" → Run node src/setup.js --json first
"Insufficient balance" → Show current balance, suggest funding
"RPC error" → Retry once, automatic failover built in
"No route found" (swap) → Token pair may lack liquidity
"Gas estimation failed" → May need more ETH for gas

Comments

Loading comments...