📦 Autonomous Wallet — 自愈加密钱包
v1.0.0为AI代理打造的自愈加密钱包,支持意图驱动执行与社交恢复,自动修复异常并保障资产安全。
0· 279·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Do not install or hand over keys until you verify the package and repository. Steps to consider before using: 1) Confirm the npm package (openclaw-autonomous-wallet) exists on npm and the GitHub repo is legitimate and matches the maintainer listed in the registry; inspect recent commits, open issues, and contributors. 2) Audit the package source code (especially any code that handles PRIVATE_KEY/MNEMONIC, remote endpoints, or executes commands). 3) Prefer hardware-wallet integration or ephemeral...详细分析 ▾
ℹ 用途与能力
The name/description (autonomous crypto wallet) match the declared runtime needs in SKILL.md (PRIVATE_KEY or MNEMONIC, RPC_URL, node/npm, installing an npm package). However the registry metadata you provided earlier said 'Required env vars: none' and 'Required binaries: none' — that contradicts the skill's own SKILL.md which lists environment secrets and node/npm as required tools. Also the SKILL.md claims a 'verified repository' but maintainers/org names differ between places (ZhenRobotics vs ZhenStaff), which is an integrity/credibility mismatch.
⚠ 指令范围
The instructions are focused on wallet actions (init, import, execute intents, social recovery) which fit the stated purpose. But they explicitly instruct users to provide highly sensitive secrets (PRIVATE_KEY or MNEMONIC) as environment variables or import them, and to grant the skill authority to turn natural-language intents into on-chain transactions. That gives the agent broad ability to move funds if invoked. The SKILL.md does not direct reading unrelated system files, but the scope (autonomous transaction execution) is intrinsically high-risk and requires strong guardrails which are not detailed here.
ℹ 安装机制
This is an instruction-only skill (no install spec in the registry), but the SKILL.md instructs the user to globally install an npm package (openclaw-autonomous-wallet). Installing an npm package is a moderate-risk action because packages can contain arbitrary code; the SKILL.md points to a GitHub repo (claimed verified) but the registry metadata lacks an install spec and the org/maintainer names are inconsistent. Verify the package source and audit code before installing.
ℹ 凭证需求
Requested environment variables (PRIVATE_KEY, MNEMONIC, RPC_URL, NETWORK, ETHERSCAN_API_KEY) are consistent with a wallet's needs — they are not unrelated credentials. That said, PRIVATE_KEY and MNEMONIC are extremely sensitive. The SKILL.md encourages storing them in env vars or importing them, which is a common but risky pattern unless done in a secure, ephemeral environment (or via hardware wallet).
⚠ 持久化与权限
The skill is not 'always:true' and is user-invocable, but model invocation is enabled (default). That means an agent could autonomously call into the wallet logic to execute intents. Combining autonomous invocation with access to private keys/mnemonic materially increases risk — if the npm package or runtime behavior is malicious or buggy, funds could be moved without clear, auditable human approval. The skill does not provide strong, explicit runtime guardrails in the SKILL.md (e.g., mandatory manual approval, signing threshold enforcement at runtime).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install autonomous-wallet
镜像加速npx clawhub@latest install autonomous-wallet --registry https://cn.longxiaskill.com