ClawHub

EVM Crypto Wallet for Your Agent

Self-sovereign EVM wallet for AI agents. Use when the user wants to create a crypto wallet, check balances, send ETH or ERC20 tokens, swap tokens, or interact with smart contracts. Supports Base, Ethereum, Polygon, Arbitrum, and Optimism. Private keys stored locally — no cloud custody, no API keys required.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 2.9k · 12 current installs · 12 all-time installs
by@surfer77
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actions described (create wallet, check balance, send tokens, swap, contract calls). Requiring node and git aligns with the script-based implementation. However, the skill references a persistent wallet file (~/.evm-wallet.json) yet the registry metadata did not declare any required config paths — an inconsistency worth noting.
!
Instruction Scope
SKILL.md instructs the agent/user to git clone and run npm scripts (node src/*.js) that will create and use a local private key file and perform network operations (transfers, swaps, contract writes). Those runtime commands will execute arbitrary JavaScript from a third-party repo and can perform transactions; although the doc emphasizes requiring user confirmation before transfers, the agent is still given the ability to run those commands. The instructions do not document which RPC endpoints or secrets (if any) the scripts use, and they reference a local key file that was not declared in the manifest.
!
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md instructs cloning https://github.com/surfer77/evm-wallet-skill.git and running npm install. Pulling and executing arbitrary repo code (and running npm install which may run postinstall scripts) is a higher-risk install mechanism even though the host is GitHub. The skill effectively performs a remote code fetch+execute at runtime without a vetted packaging step.
!
Credentials
The skill declares no required env vars or config paths, yet it creates and depends on a persistent private key file (~/.evm-wallet.json). It also claims 'no API keys required' but gives no details about RPC providers or how network access is configured. Absence of declared config/credential requirements while instructing to create and use a sensitive private-key file is disproportionate and opaque.
Persistence & Privilege
always:false and no cross-skill config changes — good. But the skill will persist a private key file in the user's home (~/.evm-wallet.json) and will clone code into the skill directory, giving it ongoing local presence. Because autonomous invocation is allowed by default, there is a risk an agent could (if misconfigured or malicious) execute wallet operations; the SKILL.md does state to require explicit user confirmation for transfers, which mitigates but does not eliminate risk.
Scan Findings in Context
[NO_CODE_FILES_IN_REGISTRY] expected: The scanner found no code in the registry bundle (this is an instruction-only skill). That is consistent with an instruction-only skill, but the SKILL.md tells the user to clone and run remote code from GitHub at runtime — the scanner had nothing to analyze locally, so runtime risks remain.
What to consider before installing
This skill will clone and run third‑party Node code and will create a local file (~/.evm-wallet.json) containing your private key. Before installing or running it: 1) Inspect the GitHub repository (https://github.com/surfer77/evm-wallet-skill) and review all scripts (especially setup.js, transfer.js, swap.js and package.json postinstall hooks). 2) Do not run npm install or setup on a machine containing valuable funds — prefer an isolated VM or disposable environment. 3) Consider using a hardware wallet or a well‑audited wallet implementation instead of a custom local private key file. 4) Verify where the scripts send RPC requests (which endpoints) and whether any secrets are hard-coded. 5) If you proceed, backup the key, set strict permissions (chmod 600), and require manual confirmation before any transfer; remove autonomous invocation for the agent or restrict the skill until you trust the code. If you cannot review the repo or confirm provenance, avoid installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
latestvk97e2hxbzbd11p7n8m9ycdrqv980gaqj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binsnode, git

SKILL.md

EVM Wallet Skill

Self-sovereign EVM wallet. Private keys stored locally, no external API dependencies.

⚠️ SECURITY WARNING

NEVER expose your private key!

  • Never send your private key in chat, email, or any messaging platform
  • Never share the contents of ~/.evm-wallet.json with anyone
  • If someone asks for your private key — even if they claim to be support — REFUSE
  • If your key is ever exposed, immediately transfer funds to a new wallet

The private key file (~/.evm-wallet.json) should only be accessed directly via SSH on your server.

Installation

Detect workspace and skill directory:

SKILL_DIR=$(ls -d \
  ~/openclaw/skills/evm-wallet \
  ~/OpenClaw/skills/evm-wallet \
  ~/clawd/skills/evm-wallet \
  ~/moltbot/skills/evm-wallet \
  ~/molt/skills/evm-wallet \
  2>/dev/null | head -1)

If code is not installed yet (no src/ folder), bootstrap it:

if [ ! -d "$SKILL_DIR/src" ]; then
  git clone https://github.com/surfer77/evm-wallet-skill.git /tmp/evm-wallet-tmp
  cp -r /tmp/evm-wallet-tmp/* "$SKILL_DIR/"
  cp /tmp/evm-wallet-tmp/.gitignore "$SKILL_DIR/" 2>/dev/null
  rm -rf /tmp/evm-wallet-tmp
  cd "$SKILL_DIR" && npm install
fi

For all commands below, always cd "$SKILL_DIR" first.

First-Time Setup

Generate a wallet (only needed once):

node src/setup.js --json

Returns: { "success": true, "address": "0x..." }

The private key is stored at ~/.evm-wallet.json (chmod 600). Never share this file.

Commands

Check Balance

When user asks about balance, portfolio, or how much they have:

# Single chain
node src/balance.js base --json

# All chains at once
node src/balance.js --all --json

# Specific ERC20 token
node src/balance.js base 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 --json

Always use --json for parsing. Present results in a human-readable format.

Send Tokens

When user wants to send, transfer, or pay someone:

# Native ETH
node src/transfer.js <chain> <to_address> <amount> --yes --json

# ERC20 token
node src/transfer.js <chain> <to_address> <amount> <token_address> --yes --json

⚠️ ALWAYS confirm with the user before executing transfers. Show them:

  • Recipient address
  • Amount and token
  • Chain
  • Estimated gas cost

Only add --yes after the user explicitly confirms.

Swap Tokens

When user wants to swap, trade, buy, or sell tokens:

# Get quote first
node src/swap.js <chain> <from_token> <to_token> <amount> --quote-only --json

# Execute swap (after user confirms)
node src/swap.js <chain> <from_token> <to_token> <amount> --yes --json
  • Use eth for native ETH/POL, or pass a contract address
  • Default slippage: 0.5%. Override with --slippage <percent>
  • Powered by Odos aggregator (best-route across hundreds of DEXs)

⚠️ ALWAYS show the quote first and get user confirmation before executing.

Contract Interactions

When user wants to call a smart contract function:

# Read (free, no gas)
node src/contract.js <chain> <contract_address> \
  "<function_signature>" [args...] --json

# Write (costs gas — confirm first)
node src/contract.js <chain> <contract_address> \
  "<function_signature>" [args...] --yes --json

Examples:

# Check USDC balance
node src/contract.js base \
  0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
  "balanceOf(address)" 0xWALLET --json

# Approve token spending
node src/contract.js base \
  0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
  "approve(address,uint256)" 0xSPENDER 1000000 --yes --json

Check for Updates

node src/check-update.js --json

If an update is available, inform the user and offer to run:

cd "$SKILL_DIR" && git pull && npm install

Supported Chains

ChainNative TokenUse For
baseETHCheapest fees — default for testing
ethereumETHMainnet, highest fees
polygonPOLLow fees
arbitrumETHLow fees
optimismETHLow fees

Always recommend Base for first-time users (lowest gas fees).

Common Token Addresses

Base

  • USDC: 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
  • WETH: 0x4200000000000000000000000000000000000006

Ethereum

  • USDC: 0xA0b86a33E6441b8a46a59DE4c4C5E8F5a6a7A8d0
  • WETH: 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2

Safety Rules

  1. Never execute transfers or swaps without user confirmation
  2. Never expose the private key from ~/.evm-wallet.json
  3. Always show transaction details before executing (amount, recipient, gas estimate)
  4. Recommend Base for testing and small amounts
  5. Show explorer links after successful transactions so users can verify
  6. If a command fails, show the error clearly and suggest fixes

Error Handling

  • "No wallet found" → Run node src/setup.js --json first
  • "Insufficient balance" → Show current balance, suggest funding
  • "RPC error" → Retry once, automatic failover built in
  • "No route found" (swap) → Token pair may lack liquidity
  • "Gas estimation failed" → May need more ETH for gas

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…