Goodwallet Trading

This skill appears to implement exactly what it claims (MPC-signed wallet trading), but there are several red flags you should check before installing or using it: - Confirm the author/source: the registry lists no homepage and the owner is unknown. Verify the 'goodwallet' npm package origin and that the native module is legitimate. - The skill reads ~/.config/goodwallet/config.json for apiKey/share/address — make sure you trust the auth flow and that the file is only populated by the official goodwallet tool. The registry metadata should have declared this but did not. - The code posts to an external signing endpoint (SIGN_URL, default sign.goodwallet.dev) and uses a relay URL. Verify these endpoints are the real GoodWallet/Sodot services and not attacker-controlled. - The skill loads a native .node binary from the goodwallet package. Native modules can run arbitrary code on your machine; only proceed if the package and its binary are from a trusted source. - There is a hard-coded Alchemy RPC URL (with an API key) in the code — this is an embedded credential and indicates default testnet use; it doesn’t directly leak your keys but shows the package bundles secrets. Consider overriding RPC_URL or inspecting the package to understand limits of that key. - The skill supports arbitrary contract-call and token swaps; these actions can move funds. Always verify addresses, amounts, and outputs before approving or broadcasting transactions. If you need to proceed, prefer running this in an isolated environment or container, inspect the goodwallet npm package and native binary contents yourself, and confirm the sign/relay endpoints and package authorship. If you cannot validate those points, treat the skill as untrusted.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.