← Back to Skills Marketplace
334
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install upload-clawhub
Description
Execute DeFi transactions on BSC via SHLL AgentNFA. The AI handles all commands and users only need to chat.
Usage Guidance
This skill legitimately needs an operator private key to execute trades, but there are worrying gaps and choices you should consider before installing: 1) Metadata mismatch: the registry claims no required env vars while the SKILL.md requires RUNNER_PRIVATE_KEY — ask the publisher to fix this and explain why it was omitted. 2) Private key handling: do NOT use a main wallet; if you proceed, create a purpose-built operator wallet with minimal BNB and never store your main funds there. Prefer ephemeral session keys where possible and avoid writing the private key to persistent agent config files (the SKILL.md examples show adding it to Claude/Cursor configs). 3) Package provenance: SKILL.md recommends npm install -g shll-skills — verify the npm package publisher and inspect the GitHub repo source before installation. 4) PolicyGuard claims to enforce safety on-chain, but execute_calldata accepts arbitrary calldata (albeit subject to on-chain checks) — understand the on-chain policy rules and verify the listed PolicyGuard contract address on BscScan. 5) If you don't fully trust the source, decline to install or use a read-only setup (monitoring functions only) until you can audit the code and confirm the private-key handling and contract behavior. If you want, I can: summarize the exact places where a private key would be persisted in your agent, draft safer onboarding steps (ephemeral key or signing-service flow), or list questions to send to the skill author for clarification.
Capability Analysis
Type: OpenClaw Skill
Name: upload-clawhub
Version: 6.0.5
The skill bundle provides a DeFi execution toolkit for the Binance Smart Chain (BSC) that involves high-risk capabilities, specifically the management of an operator's private key (RUNNER_PRIVATE_KEY) and the execution of arbitrary blockchain transactions via raw calldata (shll-run raw). While the documentation in SKILL.md and README.md outlines extensive security measures—such as on-chain policy enforcement (PolicyGuard), dual-wallet isolation, and mandatory user confirmation for write operations—the inherent nature of handling sensitive credentials and performing financial transactions constitutes meaningful high-risk behavior. Additionally, the instructions direct the AI agent to automatically manage its own environment variables and generate hot wallets, which increases the potential attack surface for credential exposure or session manipulation.
Capability Assessment
Purpose & Capability
The skill's name and description (execute DeFi trades on BSC via SHLL/AgentNFA) are consistent with what the SKILL.md instructs: installing an shll CLI/MCP, running swaps, lending, and executing calldata through an on-chain PolicyGuard. However the registry metadata lists no required environment variables / primary credential while the SKILL.md clearly requires RUNNER_PRIVATE_KEY (operator wallet) and optionally SHLL_RPC — this metadata mismatch is surprising and should be corrected/clarified.
Instruction Scope
Runtime instructions explicitly require an operator private key, instruct adding that key into agent configuration files (examples show editing Claude and Cursor MCP config files), and direct the agent to set RUNNER_PRIVATE_KEY automatically for sessions. The tool also exposes execute_calldata/execute_calldata_batch (raw calldata execution through PolicyGuard). These instructions involve reading/writing local agent configs and handling a highly sensitive secret, which broadens the skill's scope beyond a simple read-only tool and gives the agent discretion to persist a private key.
Install Mechanism
No install spec is embedded in the registry, but SKILL.md recommends installing an npm package (npm install -g shll-skills) from the public npm registry and links to a GitHub repo. Installing a third-party global npm package is a standard but nontrivial action (downloads and runs external code) and therefore moderate risk — verify the npm package and GitHub source before installing.
Credentials
The skill requires a RUNNER_PRIVATE_KEY (explicitly marked required in SKILL.md) and recommends storing it in env/config for MCP integration. Requesting a dedicated operator key is proportionate to an autonomous trading agent, but the registry metadata fails to declare this. Persisting a raw private key in agent config files (e.g., claude_desktop_config.json or .cursor/mcp.json) or having the agent set it automatically increases exposure; this is especially sensitive and should be limited to ephemeral, minimal-privilege keys only.
Persistence & Privilege
The skill does not set always:true, but the instructions encourage persistent configuration changes (adding shll-mcp to agent mcpServers entries with RUNNER_PRIVATE_KEY embedded). That produces long-lived secret storage on disk and grants persistent execution capability to the agent. Combined with write tools (swap, transfer, execute_calldata), this persistent secret raises the blast radius if the key or the installed package is compromised.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install upload-clawhub - After installation, invoke the skill by name or use
/upload-clawhub - Provide required inputs per the skill's parameter spec and get structured output
Version History
v6.0.5
Replace rent/rental/renter with subscription/subscriber in all user-facing strings
v6.0.3
shll-run v6.0.3 changelog
- Improved security guidance: Stronger emphasis on operator wallet isolation and PolicyGuard controls.
- Clarified onboarding and wallet setup: Added explicit instructions for wallet roles and warnings against unsafe practices.
- Updated write confirmation policy: Now requires explicit user approval for all vault-affecting operations, with clear risk summaries.
- Enhanced documentation: Reflects current limitations, especially for raw calldata and contract address pinning.
- Minor fixes: Adjusted command usage and clarified critical constraints for safer, easier operation.
Metadata
Frequently Asked Questions
What is Upload Clawhub?
Execute DeFi transactions on BSC via SHLL AgentNFA. The AI handles all commands and users only need to chat. It is an AI Agent Skill for Claude Code / OpenClaw, with 334 downloads so far.
How do I install Upload Clawhub?
Run "/install upload-clawhub" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Upload Clawhub free?
Yes, Upload Clawhub is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Upload Clawhub support?
Upload Clawhub is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Upload Clawhub?
It is built and maintained by kledx (@kledx); the current version is v6.0.5.
More Skills