← Back to Skills Marketplace

Tongateway

Name: Tongateway
Author: pewpewgogo

by Volodya Plotvinov · GitHub ↗ · v0.9.3 · MIT-0

cross-platform ⚠ suspicious

106

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install tongateway

Description

Access TON blockchain tools to check wallet info, tokens, send transfers, resolve .ton names, trade on DEX, and manage autonomous agent wallets.

Usage Guidance

This skill appears to implement a legitimate TON agent gateway, but there are some practical safety gaps you should consider before installing: - Files written/read: SKILL.md and SECURITY.md say the skill stores a session JWT at ~/.tongateway/token and (only if you deploy an agent wallet) signing keys in ~/.tongateway/wallets.json. These paths were not declared in the registry metadata — expect local files to be created and readable by the agent process. - Autonomous wallet risk: The agent can deploy an 'Agent Wallet' that can sign and send transactions without phone approval. Only deploy and fund such an agent wallet with money you can afford to lose, and only after auditing the contract/agent code. - npx fetch: The recommended runtime is 'npx -y @tongateway/mcp' which downloads and runs an npm package. If you prefer to reduce risk, clone the GitHub repo and build/run the server locally or run it in a sandbox (VM or container) and inspect the code first. - Verify sources: The SKILL.md/README include GitHub and npm links — verify the package on npm matches the GitHub repo, and review the code (especially wallet key handling and any network endpoints). Confirm the API URL (AGENT_GATEWAY_API_URL) points to the expected domain. - Operational mitigations: use minimal funding for any agent wallets, revoke session tokens from the dashboard if needed, run the MCP server in a sandbox, and do not store large balances under the agent-managed wallet. If you want a higher-confidence verdict, provide the npm package tarball or the mcp repository contents for code-level review so you can confirm how tokens and agent keys are handled.

Capability Analysis

Type: OpenClaw Skill Name: tongateway Version: 0.9.3 The skill bundle provides tools for TON blockchain interaction, including a high-risk 'autonomous mode' (agent_wallet.transfer) that allows the AI to execute transactions without per-action user approval. While the documentation in SKILL.md and SECURITY.md is transparent about the risks and uses a dedicated contract model to limit exposure, the capability to move funds autonomously and the storage of signing keys in ~/.tongateway/wallets.json are significant high-risk behaviors. The installation also relies on npx execution of the @tongateway/mcp package, which is standard for MCP servers but requires trust in the @tongateway npm scope.

Capability Assessment

✓ Purpose & Capability

Name/description align with the instructions: tools to read wallet state, resolve .ton domains, request transfers, place DEX orders, and optionally deploy autonomous agent wallets. The functions requested (including agent_wallet.*) are coherent with the stated purpose.

⚠ Instruction Scope

SKILL.md instructs the agent to run 'npx -y @tongateway/mcp' and describes persistent files (~/.tongateway/token and ~/.tongateway/wallets.json). The registry metadata declared no required config paths or env vars, yet the instructions explicitly read/write home-directory files and suggest an AGENT_GATEWAY_API_URL env in examples. The skill's instructions therefore access filesystem locations that were not declared to the registry and grant the agent discretion to deploy an autonomous wallet (which can sign and spend from that wallet).

ℹ Install Mechanism

There is no install spec in the registry (instruction-only), but SKILL.md and README recommend running via 'npx @tongateway/mcp', which will fetch code from npm at runtime. Using npx is common for MCP servers but does pull and execute code from the npm registry; the package and GitHub links are provided so users can audit or build locally. This is standard but not risk-free.

⚠ Credentials

Registry metadata lists no required env vars or config paths, yet the README and SKILL.md reference AGENT_GATEWAY_API_URL (as an environment override) and persistent files under ~/.tongateway (token JWT and agent wallet signing keys). Storing agent wallet signing keys in ~/.tongateway/wallets.json is particularly sensitive; the skill will create/read these files if agent wallets are deployed. The declared 'no env/config' footprint is therefore incomplete.

ℹ Persistence & Privilege

The skill does not request 'always:true' and is user-invocable only. However it persists a session token across restarts and (optionally) creates wallet signing-key files for agent wallets. Autonomous transfers are possible but only via an opt-in 'Agent Wallet' that the user must deploy and fund. This combination is operationally powerful and should be treated as potentially dangerous if the user enables agent wallets or grants long-lived tokens.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install tongateway
After installation, invoke the skill by name or use /tongateway
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.9.3

- Added a new README.md file for additional documentation. - No changes to functionality or features. - Existing documentation in SKILL.md remains unchanged.

v0.9.2

- Initial skill files and project structure added. - Added SECURITY.md link and section to documentation. - Improved usage examples (DEX order example uses a smaller amount). - No breaking changes to existing API or tools.

v0.9.1

- Tool/function names have changed to namespace-based (e.g. wallet.info, transfer.request, agent_wallet.deploy). - Updated usage examples and docs to reflect new tool names and parameters. - DEX order price is now human-readable instead of nanoTON. - Added token decimal clarification for major supported tokens. - Minor documentation improvements for clarity and consistency.

v0.9.0

- Introduced the Agent Gateway with 16 tools for interacting with the TON blockchain. - Added wallet tools: view balances, tokens, NFTs, and transaction history. - Enabled safe transfers (with user approval), including .ton domain resolution. - Added DEX tools to place and manage limit orders. - Introduced autonomous agent wallets for direct transfers without approval. - Improved authentication flow and persistent token management. - Provided usage examples and important safety notes for users.

Metadata

Slug tongateway

Version 0.9.3

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 4

Frequently Asked Questions

What is Tongateway?

Access TON blockchain tools to check wallet info, tokens, send transfers, resolve .ton names, trade on DEX, and manage autonomous agent wallets. It is an AI Agent Skill for Claude Code / OpenClaw, with 106 downloads so far.

How do I install Tongateway?

Run "/install tongateway" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tongateway free?

Yes, Tongateway is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Tongateway support?

Tongateway is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tongateway?

It is built and maintained by Volodya Plotvinov (@pewpewgogo); the current version is v0.9.3.

More Skills