Goodwallet Trading

v0.2.1

Blockchain trading tools extending GoodWallet MPC agentic wallets. Adds ERC20 transfers, token approvals, DEX swaps (Uniswap V2), arbitrary contract calls, b...

⭐ 0· 207·0 current·0 all-time

byYoni@yoniassia

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yoniassia/goodwallet-trading.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Goodwallet Trading" (yoniassia/goodwallet-trading) from ClawHub.
Skill page: https://clawhub.ai/yoniassia/goodwallet-trading
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install goodwallet-trading

ClawHub CLI

Package manager switcher

npx clawhub@latest install goodwallet-trading

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's stated purpose (ERC20 transfers, approvals, Uniswap V2 swaps, arbitrary contract calls signed via Sodot MPC) matches what the code implements: RPC calls, building transactions, and MPC signing via a native SDK. However the registry metadata omitted that the skill actually requires GoodWallet credentials stored at ~/.config/goodwallet/config.json and environment variables (SIGN_URL, RPC_URL) that the code reads — a mismatch between declared requirements and actual needs.

Instruction Scope

SKILL.md instructs the agent to run npx commands and to read/use ~/.config/goodwallet/config.json for credentials; the code indeed reads that file and posts signing requests to an external signing endpoint. The instructions also tell the agent not to reveal internal technical details, which reduces transparency. Reading the local config and contacting external sign/relay endpoints is necessary for MPC signing but was not declared in the registry metadata — this scope creep should be documented and verified.

ℹ

Install Mechanism

No install spec in registry (instruction-only), but the package includes index.js and npm metadata. The code uses npx in instructions (downloads package at runtime) and requires the 'goodwallet' npm package and a native .node library from that package — loading native modules has higher risk than pure JS. There are no obscure download URLs, dependencies are from npm, but the native binary execution increases blast radius and should be verified as coming from the official goodwallet package.

Credentials

Registry declares no required env vars or config paths, yet the skill reads ~/.config/goodwallet/config.json (requires apiKey, share, address) and process.env.SIGN_URL / process.env.RPC_URL. The code also embeds a hard-coded Alchemy RPC URL (including an API key) as the default — an embedded credential. Requesting/using the user's GoodWallet API key/share is expected for signing, but the omission from metadata is a proportionality/documentation problem and a transparency/security concern.

✓

Persistence & Privilege

The skill does not request always:true, does not claim system-wide persistence, and does not modify other skills' configs. It performs network calls and loads a native module but does not request elevated platform privileges in metadata.

What to consider before installing

This skill appears to implement exactly what it claims (MPC-signed wallet trading), but there are several red flags you should check before installing or using it: - Confirm the author/source: the registry lists no homepage and the owner is unknown. Verify the 'goodwallet' npm package origin and that the native module is legitimate. - The skill reads ~/.config/goodwallet/config.json for apiKey/share/address — make sure you trust the auth flow and that the file is only populated by the official goodwallet tool. The registry metadata should have declared this but did not. - The code posts to an external signing endpoint (SIGN_URL, default sign.goodwallet.dev) and uses a relay URL. Verify these endpoints are the real GoodWallet/Sodot services and not attacker-controlled. - The skill loads a native .node binary from the goodwallet package. Native modules can run arbitrary code on your machine; only proceed if the package and its binary are from a trusted source. - There is a hard-coded Alchemy RPC URL (with an API key) in the code — this is an embedded credential and indicates default testnet use; it doesn’t directly leak your keys but shows the package bundles secrets. Consider overriding RPC_URL or inspecting the package to understand limits of that key. - The skill supports arbitrary contract-call and token swaps; these actions can move funds. Always verify addresses, amounts, and outputs before approving or broadcasting transactions. If you need to proceed, prefer running this in an isolated environment or container, inspect the goodwallet npm package and native binary contents yourself, and confirm the sign/relay endpoints and package authorship. If you cannot validate those points, treat the skill as untrusted.

✗

index.js:110

Environment variable access combined with network send.

index.js:5

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976rgzgvvr12mfymk6ad91mjs835etr

207downloads

0stars

3versions

Updated 21h ago

v0.2.1

MIT-0

GoodWallet Trading

Extends the goodwallet skill with blockchain trading capabilities. All transactions are MPC-signed via the same Sodot threshold ECDSA signing service.

Prerequisite: The user must first authorize via the goodwallet skill (auth + pair). Credentials are shared via ~/.config/goodwallet/config.json.

All commands are run via npx goodwallet-trading@0.2.0.

Important: Do not share technical details (key types, signature formats, internal paths). Run commands and report outcomes in plain language.

Setup

If the user hasn't authorized yet, run the goodwallet auth flow first:

npx goodwallet@0.2.0 auth
# Show the URL to the user, then immediately:
npx goodwallet@0.2.0 pair

Once paired, all goodwallet-trading commands will work automatically.

Commands

balance — Check ETH and ERC20 balances

npx goodwallet-trading@0.2.0 balance
npx goodwallet-trading@0.2.0 balance --token <erc20-address>

erc20-send — Send ERC20 tokens

npx goodwallet-trading@0.2.0 erc20-send --to <address> --amount <amount> --token <erc20-address>

Flag	Short	Required	Description
`--to <address>`	`-t`	Yes	Recipient address
`--amount <amount>`	`-a`	Yes	Amount (human-readable, e.g. `10.5`)
`--token <address>`		Yes	ERC20 token contract

approve — Approve token spending

npx goodwallet-trading@0.2.0 approve --token <erc20-address> --spender <address>
npx goodwallet-trading@0.2.0 approve --token <erc20-address> --spender <address> --amount 100

Without --amount, approves unlimited spending.

contract-call — Call any smart contract

The most powerful command — execute arbitrary contract calls with MPC signing.

npx goodwallet-trading@0.2.0 contract-call --to <contract> --data <calldata-hex>
npx goodwallet-trading@0.2.0 contract-call --to <contract> --data <calldata-hex> --value 0.1

Flag	Required	Description
`--to <address>`	Yes	Contract address
`--data <hex>`	Yes	Calldata (hex with 0x prefix)
`--value <ether>`	No	ETH to send with call (default: 0)

swap — Uniswap V2 DEX swap

npx goodwallet-trading@0.2.0 swap --router <router-address> --from-token ETH --to-token <token-address> --amount 0.1
npx goodwallet-trading@0.2.0 swap --router <router-address> --from-token <token-a> --to-token <token-b> --amount 100

Flag	Required	Description
`--router <address>`	Yes	Uniswap V2 router address
`--from-token <address\|ETH>`	Yes	Token to sell (or "ETH")
`--to-token <address\|ETH>`	Yes	Token to buy (or "ETH")
`--amount <amount>`	Yes	Amount to swap
`--slippage <percent>`	No	Slippage tolerance (default: 1%)

token-info — Get ERC20 token details

npx goodwallet-trading@0.2.0 token-info --token <erc20-address>

Returns: name, symbol, decimals, total supply, your balance.

allowance — Check approved spending

npx goodwallet-trading@0.2.0 allowance --token <erc20-address> --spender <address>

Environment Variables

Variable	Default	Description
`SIGN_URL`	`sign.goodwallet.dev`	Signing service endpoint
`RPC_URL`	Alchemy Hoodi endpoint	Override RPC URL

Network

Currently configured for Hoodi testnet (chain ID 560048). Explorer: https://hoodi.etherscan.io/

File Locations

File	Purpose
`~/.config/goodwallet/config.json`	Shared credentials from goodwallet auth

Typical Workflow

# 1. Auth (if not already done)
npx goodwallet@0.2.0 auth
npx goodwallet@0.2.0 pair

# 2. Check balance
npx goodwallet-trading@0.2.0 balance

# 3. Send ERC20 tokens
npx goodwallet-trading@0.2.0 erc20-send --to 0x... --amount 10 --token 0x...

# 4. Approve DEX router
npx goodwallet-trading@0.2.0 approve --token 0x... --spender 0x...

# 5. Swap on DEX
npx goodwallet-trading@0.2.0 swap --router 0x... --from-token ETH --to-token 0x... --amount 0.1

# 6. Arbitrary contract call
npx goodwallet-trading@0.2.0 contract-call --to 0x... --data 0xabcdef... --value 0.05

Comments

Loading comments...