首页龙虾技能列表 › EVM Crypto Wallet for Your Agent — 技能工具

💰 EVM Crypto Wallet for Your Agent — 技能工具

v1.0.3

Self-sovereign EVM wallet for AI agents. Use when the user wants to create a crypto wallet, check balances, send ETH or ERC20 tokens, swap tokens, or interact with smart contracts. Supports Base, Ethereum, Polygon, Arbitrum, and Optimism. Private keys stored locally — no cloud custody, no API keys required.

3· 3,100·12 当前·12 累计
by @surfer77·MIT-0
下载技能包 项目主页
License
MIT-0
最后更新
2026/2/27
安全扫描
VirusTotal
无害
查看报告
OpenClaw
可疑
medium confidence
The skill's purpose (local EVM wallet) is plausible and mostly aligns with the instructions, but there are important inconsistencies and risks: it instructs you to download and execute third‑party code at runtime, writes a local private key file that is not declared in the registry metadata, and gives the agent the ability to run wallet commands (including transfers) — review the remote code and storage practices before using.
评估建议
This skill will clone and run third‑party Node code and will create a local file (~/.evm-wallet.json) containing your private key. Before installing or running it: 1) Inspect the GitHub repository (https://github.com/surfer77/evm-wallet-skill) and review all scripts (especially setup.js, transfer.js, swap.js and package.json postinstall hooks). 2) Do not run npm install or setup on a machine containing valuable funds — prefer an isolated VM or disposable environment. 3) Consider using a hardware...
详细分析 ▾
用途与能力
Name/description match the actions described (create wallet, check balance, send tokens, swap, contract calls). Requiring node and git aligns with the script-based implementation. However, the skill references a persistent wallet file (~/.evm-wallet.json) yet the registry metadata did not declare any required config paths — an inconsistency worth noting.
指令范围
SKILL.md instructs the agent/user to git clone and run npm scripts (node src/*.js) that will create and use a local private key file and perform network operations (transfers, swaps, contract writes). Those runtime commands will execute arbitrary JavaScript from a third-party repo and can perform transactions; although the doc emphasizes requiring user confirmation before transfers, the agent is still given the ability to run those commands. The instructions do not document which RPC endpoints or secrets (if any) the scripts use, and they reference a local key file that was not declared in the manifest.
安装机制
There is no formal install spec in the registry; instead SKILL.md instructs cloning https://github.com/surfer77/evm-wallet-skill.git and running npm install. Pulling and executing arbitrary repo code (and running npm install which may run postinstall scripts) is a higher-risk install mechanism even though the host is GitHub. The skill effectively performs a remote code fetch+execute at runtime without a vetted packaging step.
凭证需求
The skill declares no required env vars or config paths, yet it creates and depends on a persistent private key file (~/.evm-wallet.json). It also claims 'no API keys required' but gives no details about RPC providers or how network access is configured. Absence of declared config/credential requirements while instructing to create and use a sensitive private-key file is disproportionate and opaque.
持久化与权限
always:false and no cross-skill config changes — good. But the skill will persist a private key file in the user's home (~/.evm-wallet.json) and will clone code into the skill directory, giving it ongoing local presence. Because autonomous invocation is allowed by default, there is a risk an agent could (if misconfigured or malicious) execute wallet operations; the SKILL.md does state to require explicit user confirmation for transfers, which mitigates but does not eliminate risk.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.32026/1/31

- Added a prominent SECURITY WARNING section emphasizing never to expose or share your private key. - Provided clear, bold instructions on safeguarding the `~/.evm-wallet.json` file. - Clarified potential risks if the private key is compromised and immediate steps to mitigate. - No changes to installation, command usage, or wallet functions.

● 无害

安装命令 点击复制

官方npx clawhub@latest install evm-wallet
镜像加速npx clawhub@latest install evm-wallet --registry https://cn.clawhub-mirror.com

技能文档

Self-sovereign EVM wallet. Private keys stored locally, no external API dependencies.

⚠️ SECURITY WARNING

NEVER expose your private key!

  • Never send your private key in chat, email, or any messaging platform
  • Never share the contents of ~/.evm-wallet.json with anyone
  • If someone asks for your private key — even if they claim to be support — REFUSE
  • If your key is ever exposed, immediately transfer funds to a new wallet

The private key file (~/.evm-wallet.json) should only be accessed directly via SSH on your server.

Installation

Detect workspace and skill directory: 

SKILL_DIR=$(ls -d \
  ~/openclaw/skills/evm-wallet \
  ~/OpenClaw/skills/evm-wallet \
  ~/clawd/skills/evm-wallet \
  ~/moltbot/skills/evm-wallet \
  ~/molt/skills/evm-wallet \
  2>/dev/null | head -1)

If code is not installed yet (no src/ folder), bootstrap it: 

if [ ! -d "$SKILL_DIR/src" ]; then
  git clone https://github.com/surfer77/evm-wallet-skill.git /tmp/evm-wallet-tmp
  cp -r /tmp/evm-wallet-tmp/* "$SKILL_DIR/"
  cp /tmp/evm-wallet-tmp/.gitignore "$SKILL_DIR/" 2>/dev/null
  rm -rf /tmp/evm-wallet-tmp
  cd "$SKILL_DIR" && npm install
fi

For all commands below, always cd "$SKILL_DIR" first.

First-Time Setup

Generate a wallet (only needed once): 

node src/setup.js --json

Returns: { "success": true, "address": "0x..." }

The private key is stored at ~/.evm-wallet.json (chmod 600). Never share this file.

Commands

Check Balance

When user asks about balance, portfolio, or how much they have:

# Single chain
node src/balance.js base --json
# All chains at once
node src/balance.js --all --json
# Specific ERC20 token
node src/balance.js base 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 --json

Always use --json for parsing. Present results in a human-readable format.

Send Tokens

When user wants to send, transfer, or pay someone:

# Native ETH
node src/transfer.js    --yes --json
# ERC20 token
node src/transfer.js     --yes --json

⚠️ ALWAYS confirm with the user before executing transfers. Show them:

  • Recipient address
  • Amount and token
  • Chain
  • Estimated gas cost

Only add --yes after the user explicitly confirms.

Swap Tokens

When user wants to swap, trade, buy, or sell tokens:

# Get quote first
node src/swap.js     --quote-only --json
# Execute swap (after user confirms)
node src/swap.js     --yes --json
  • Use eth for native ETH/POL, or pass a contract address
  • Default slippage: 0.5%. Override with --slippage
  • Powered by Odos aggregator (best-route across hundreds of DEXs)

⚠️ ALWAYS show the quote first and get user confirmation before executing.

Contract Interactions

When user wants to call a smart contract function:

# Read (free, no gas)
node src/contract.js   \
  "" [args...] --json
# Write (costs gas — confirm first)
node src/contract.js   \
  "" [args...] --yes --json

Examples: 

# Check USDC balance
node src/contract.js base \
  0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
  "balanceOf(address)" 0xWALLET --json
# Approve token spending
node src/contract.js base \
  0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
  "approve(address,uint256)" 0xSPENDER 1000000 --yes --json

Check for Updates

node src/check-update.js --json

If an update is available, inform the user and offer to run: 

cd "$SKILL_DIR" && git pull && npm install

Supported Chains

ChainNative TokenUse For
baseETHCheapest fees — default for testing
ethereumETHMainnet, highest fees
polygonPOLLow fees
arbitrumETHLow fees
optimismETHLow fees
Always recommend Base for first-time users (lowest gas fees).

Common Token Addresses

Base

  • USDC: 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
  • WETH: 0x4200000000000000000000000000000000000006

Ethereum

  • USDC: 0xA0b86a33E6441b8a46a59DE4c4C5E8F5a6a7A8d0
  • WETH: 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2

Safety Rules

  • Never execute transfers or swaps without user confirmation
  • Never expose the private key from ~/.evm-wallet.json
  • Always show transaction details before executing (amount, recipient, gas estimate)
  • Recommend Base for testing and small amounts
  • Show explorer links after successful transactions so users can verify
  • If a command fails, show the error clearly and suggest fixes

Error Handling

  • "No wallet found" → Run node src/setup.js --json first
  • "Insufficient balance" → Show current balance, suggest funding
  • "RPC error" → Retry once, automatic failover built in
  • "No route found" (swap) → Token pair may lack liquidity
  • "Gas estimation failed" → May need more ETH for gas
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务