privy-integration

This skill's content appears to be a detailed integration guide for Privy and legitimately needs high-privilege secrets (appId/appSecret, webhook signing secret) and operations like creating/exporting wallets and signing transactions. However, the skill metadata incorrectly lists no required credentials — that's a red flag because it can lull you into underestimating the risk. Before installing or enabling this skill: - Verify the source and publisher (there is no homepage and source is unknown). Prefer official Privy documentation or packages (npm orgs, GitHub repo) you can audit. - Do NOT place production App Secrets or private keys in the agent config or environment until you understand who/what will access them; test with a throwaway Privy app and testnet funds only. - The skill guides you through exporting private keys and storing secrets in ~/.openclaw/openclaw.json — treat that as highly sensitive: store only in secure vaults and give the least privilege necessary. - If you plan to enable agentic/autonomous wallets, add restrictive policies, require human approval for high-value ops, and monitor webhooks closely. - Ask the publisher to update the registry metadata to list required env vars (PRIVY_APP_ID, PRIVY_APP_SECRET, PRIVY_WEBHOOK_SIGNING_SECRET, MPP_RECIPIENT, etc.) and to provide an authoritative source URL or signed release so you can verify provenance. If you cannot confirm the skill's origin or are unable to test safely in an isolated environment, avoid granting it access to real credentials or production funds.