← Back to Skills Marketplace
pocket-money
by
Operator @ AutEng AI
· GitHub ↗
· v2.0.0
579
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install pocket-money
Description
Give your AI agent crypto wallets on Base. Create purpose-specific wallets, ask your human to fund each one, check balances, and manage budgets. No accounts,...
Usage Guidance
This skill is coherent with its stated aim (creating local Base/USDC wallets), but it has security-sensitive components you should review before installing: 1) Inspect the @auteng/pocket-money package source on GitHub and the npm package contents (including dependencies and postinstall scripts). 2) Do not fund these wallets with more than a small, reviewed amount — treat them as petty cash. 3) Consider requiring encrypted keystores or a hardware signing flow rather than unencrypted JSON files on disk; if you must use these files, keep strict filesystem permissions and backups off the machine. 4) Confirm the RPC endpoints (mainnet.base.org) and whether gas in ETH is actually required — the SKILL.md claim that "no ETH needed for gas" may be inaccurate on Base unless a gas-sponsorship mechanism is used. 5) If possible, run the npm package in a sandboxed environment or audit it first; pin to a specific package version and vendor. 6) Be aware that the agent can be invoked autonomously; if you want to prevent accidental spending, restrict autonomous invocation for this skill or ensure that human approval can be enforced by policy. If you cannot audit the package and accept these risks, proceed cautiously; otherwise, treat this skill as potentially dangerous.
Capability Analysis
Type: OpenClaw Skill
Name: pocket-money
Version: 2.0.0
The skill stores unencrypted private keys for crypto wallets on disk at `.auteng/wallets/<name>.json`, which is a significant vulnerability as it exposes funds if the host machine is compromised. While the `SKILL.md` transparently discloses this risk and provides mitigations (e.g., restricted file permissions, advice to use small amounts, and explicit instructions for the AI agent to seek human approval before any spending), the inherent risk of unencrypted key storage makes it suspicious. There is no evidence of intentional malicious behavior like data exfiltration or unauthorized remote control.
Capability Assessment
Purpose & Capability
Name and description align with the requested artifacts: node/npm are required for the @auteng/pocket-money package, and the skill expects a local config directory .auteng/wallets/ where wallets are stored. No unrelated credentials or bizarre binaries are requested.
Instruction Scope
The SKILL.md instructs creating, loading, and storing private keys as unencrypted JSON at .auteng/wallets/<name>.json (0600). It also instructs the agent to poll the Base RPC and to wait for funding. The document relies on the human for explicit approval before spending, but that is procedural (not enforced technically). There is no instruction-level protection preventing an agent or installed code from programmatically signing and sending transactions without human confirmation.
Install Mechanism
Install is via an npm package (@auteng/pocket-money). Installing an npm package grants arbitrary code execution on the host at install/runtime; this is expected for a Node-based skill but is a meaningful risk because the package will have access to wallet files and could exfiltrate keys. The package source is referenced in SKILL.md (GitHub and npm links), which helps reviewability, but the registry metadata lacked a homepage entry — you should verify the package identity and inspect source before installing.
Credentials
No environment variables or unrelated credentials are requested. The only filesystem access declared is the .auteng/wallets/ path where wallet JSONs are stored. That is consistent with the stated functionality, but the data stored there (private keys) is highly sensitive, so minimality of requested variables doesn't remove the risk.
Persistence & Privilege
always:false (good). The skill can be invoked autonomously (platform default). Combined with an installed npm package that can access and sign with local private keys, autonomous invocation increases blast radius: the agent or package could sign/send transactions programmatically. SKILL.md relies on human approval but cannot technically enforce it.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pocket-money - After installation, invoke the skill by name or use
/pocket-money - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
Version 2.0.0
- Migrated package to @auteng/pocket-money (from @auteng/agent-utils) with updated install instructions and repository links.
- Refocused documentation to core wallet creation, funding, management, and security.
- Removed x402 protocol/payment, API call, and discovery features, including fetch integration and compute/convenience modules.
- Added network selection (Base mainnet and Base Sepolia testnet) at wallet creation.
- Updated examples and instructions for funding workflows and balance checks.
- Clarified security and usage recommendations.
v1.4.0
- Added metadata section to SKILL.md with requirements, install instructions, and homepage.
- Expanded documentation with a new Security & Storage section, detailing wallet private key handling, network access, and payment signing.
- Clarified mitigation advice around safe wallet funding and usage.
- No changes to runtime code—documentation and metadata update only.
v1.3.0
Version 1.3.0
- Expanded support: pay for any x402-enabled service, not just AutEng Compute.
- Updated documentation: clarified usage for generic x402 endpoints and API workflows.
- Added info on x402 discovery (`x402.probe`, `x402.discover`) and price formatting helpers.
- Simplified wallet naming and usage examples.
- Minor rewording for clarity and generalization beyond AutEng-specific services.
v1.1.0
## Version 1.1.0
- Adds requirement for explicit human approval before spending from any wallet.
- Updated documentation to include a new section detailing the approval workflow: show the human the estimated cost and wait for confirmation before proceeding.
- Emphasizes presenting costs and operations up front, especially for batches or loops.
- Clarifies wallet usage as "petty cash," not for savings, and strengthens instructions for safe, budgeted spending.
- Improves guidance around checking pricing, tracking budgets, and wallet file security details.
v1.0.0
- Initial release of pocket-money skill.
- Allows agents to create and manage USDC wallets (Base network) for funding and x402 service payments.
- Supports autonomous spending, wallet creation by purpose, and requesting human funding with clear instructions.
- Provides APIs for wallet creation, balance checking, funding waits, and x402-enabled payments.
- No accounts or KYC required; privacy-first, using only addresses and local key storage.
Metadata
Frequently Asked Questions
What is pocket-money?
Give your AI agent crypto wallets on Base. Create purpose-specific wallets, ask your human to fund each one, check balances, and manage budgets. No accounts,... It is an AI Agent Skill for Claude Code / OpenClaw, with 579 downloads so far.
How do I install pocket-money?
Run "/install pocket-money" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is pocket-money free?
Yes, pocket-money is completely free (open-source). You can download, install and use it at no cost.
Which platforms does pocket-money support?
pocket-money is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created pocket-money?
It is built and maintained by Operator @ AutEng AI (@operator-auteng-ai); the current version is v2.0.0.
More Skills