← Back to Skills Marketplace
esdras-sena

Typhoon Starknet Account

by esdras-sena · GitHub ↗ · v0.3.8
cross-platform ⚠ suspicious
2444
Downloads
1
Stars
1
Active Installs
16
Versions
Install in OpenClaw
/install typhoon-starknet-account
Description
Create an anonymous Starknet wallet via Typhoon and interact with Starknet contracts. Privacy-focused wallet creation for agents requiring anonymity.
Usage Guidance
This skill appears to implement the advertised anonymous wallet + contract flows, but it performs several sensitive actions you should consider before installing: - Private keys are generated and stored on disk under ~/.openclaw/secrets/starknet. If you install/use this skill, your agent (and anyone with access to that path) can access those keys. Use a dedicated machine or isolated account and back up keys securely. - The event watcher can create cron jobs and modify your crontab (~/.openclaw/cron and system crontab). That gives the skill persistent, scheduled execution outside the agent. Only allow this if you trust the code and want continuous monitoring. - The watcher can POST events to user-specified webhook URLs. Verify any webhook targets and avoid exposing private data to unknown endpoints. - There is no automated install spec in the registry; you must run 'npm install' to fetch dependencies. Inspect package.json and the listed dependencies before installing, and consider installing in an isolated environment (container/VM) to limit blast radius. - The skill references environment variables (STARKNET_RPC_URL, PAYMASTER_URL, STARKNET_SECRETS_DIR) that are not declared as required in registry metadata — set them explicitly and review defaults (e.g., default RPC and paymaster hosts). Recommendations: - Review the create-account.js and watcher scripts locally to confirm behavior and tweak paths/cron behavior if necessary. - If you only need on-demand operations, avoid enabling the watcher/cron functionality. - Use an account with minimal funds for testing, and consider keeping secrets in a controlled secure store rather than defaulting to the home directory. Given the combination of local secret handling, crontab modification, and remote webhook capabilities, treat this skill as 'suspicious' unless you can fully audit and control how it is run.
Capability Analysis
Type: OpenClaw Skill Name: typhoon-starknet-account Version: 0.3.8 The skill is classified as suspicious due to its broad `allowed-tools` permissions (`Bash`, `Read`, `Write`, `Glob`, `Grep`, `Task`) and the inherent risks associated with agentic systems handling cryptographic keys and executing shell commands, even with robust mitigations. While the `scripts/parse-smart.js` file implements extensive prompt injection and command injection defenses using regex patterns, and `scripts/resolve-smart.js` enforces an attestation mechanism and redacts private keys from output, these filters are not foolproof against all possible attack vectors. The `scripts/watch-events-smart.js` script can create cron jobs for persistence, although it includes a self-destruct mechanism to remove them after a set duration. The private key management, while well-implemented with restrictive file permissions and input sanitization, still represents a high-value target. These elements collectively indicate significant security risks and vulnerabilities, but no clear evidence of intentional malicious behavior (e.g., unauthorized exfiltration to external endpoints or stealthy backdoors) was found.
Capability Assessment
Purpose & Capability
The name/description align with the code: it uses Typhoon SDK to create anonymous Starknet accounts and uses starknet/AVNU SDKs for reads/writes. Declared prerequisites in SKILL.md (npm packages, optional STARKNET_RPC_URL) match package.json and code. Small mismatch: registry metadata lists no required env vars, but the scripts expect/process STARKNET_RPC_URL, PAYMASTER_URL (via env), and allow STARKNET_SECRETS_DIR override — these environment touches are reasonable for a wallet tool but were not listed as required in the registry metadata.
Instruction Scope
Runtime instructions and scripts do more than simple wallet creation/calls: they write private key files under ~/.openclaw/secrets/starknet, create/modify cron jobs (editing crontab), run child_process exec to manage crontab, and can POST event data to arbitrary webhook URLs. These behaviors go beyond a minimal 'create-wallet and call contracts' scope and allow persistent background activity and remote data transmission.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md instructs running npm install and package.json lists multiple external dependencies (starknet, typhoon-sdk, @avnu/avnu-sdk, etc.). That means running network installs is required to use the scripts; the install will pull third-party packages (expected for this functionality) but is not automated or reviewed by the registry spec.
Credentials
The skill reads and writes local secret material (private keys and artifacts in ~/.openclaw/secrets/starknet) which is expected for a wallet, but it also reads optional environment variables (STARKNET_RPC_URL, PAYMASTER_URL, STARKNET_SECRETS_DIR) and can send events to external webhook URLs provided in watcher inputs. The skill does not require explicit registry-declared credentials, yet it handles highly sensitive secrets on disk and uses network endpoints — this requires careful trust and explicit user consent.
Persistence & Privilege
Although always:false, the skill's watcher can create cron jobs (writes scripts under ~/.openclaw/cron and modifies the user's crontab) to run persistently. It also writes long-lived artifacts and key files into the user's home. These are significant persistence and privilege actions that should be disclosed and approved by the user before use.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install typhoon-starknet-account
  3. After installation, invoke the skill by name or use /typhoon-starknet-account
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.3.8
No significant changes detected for version 0.3.8; no file modifications since the previous release.
v0.3.7
- Added a "Quick Reference" section for fast access to examples and deep-dive resources. - Clarified script references for account creation and contract interaction. - Included explicit paths to key script examples for common flows (read/write/allowance checks). - No functional or breaking changes; documentation improvements only.
v0.3.6
No changes detected in this release. - Version bumped to 0.3.6 with no file modifications. - All features and functionality remain unchanged.
v0.3.5
No changes detected in this version. - Version 0.3.5 was released with no file changes compared to the previous version.
v0.3.4
- No code or documentation changes in this release. - Version bump to 0.3.4; functionality remains unchanged.
v0.3.3
No changes detected in this release. - Version bumped to 0.3.3 with no file or documentation updates. - No new features, bug fixes, or adjustments introduced.
v0.3.2
Version 0.3.2 - Added four new scripts: `_rpc.js`, `_tokens.js`, `loot-survivor.js`, and `.env.example` for improved script modularity and configuration. - Expanded documentation to clarify agent-facing workflow, RPC setup, and error recovery strategies. - Updated allowed tools list for greater task and script execution flexibility. - Enhanced AVNU SDK integration guidance for WRITE/CONDITIONAL operations. - Improved step-by-step contract interaction examples and best practices for Starknet.js v9.2.1.
v0.3.1
v0.3.1 - Added new script: scripts/vesu-pool.js - No changes to main workflow or documentation.
v0.3.0
typhoon-starknet-account v0.3.0 - Major restructure: replaced all previous scripts with a new, streamlined set for parsing, resolving, and handling Starknet operations. - Added new scripts: `parse-smart.js`, `resolve-smart.js`, `read-smart.js`, `watch-events-smart.js`, `avnu-swap.js`, `synonyms.js`, `test-parse.js`. - Introduced `protocols.json` for easier protocol and address handling. - Removed legacy scripts for contract calls, fee estimation, multicalls, allowances, and account management. - Updated documentation to reflect new security rules, dependency requirements, and step-by-step flow for parsing prompts, confirming authorization, and executing actions. - Added support for event watching, conditional operations, and explicit user authorization before contract writes.
v0.2.5
typhoon-starknet-account 0.2.5 changelog: - Added `allowed-tools: read exec process` and additional `metadata` fields for improved skill manifest compatibility. - No script or interface changes; functionality and commands remain unchanged. - Minor documentation updates to support OpenClaw installation and agent metadata discovery.
v0.2.4
typhoon-starknet-account 0.2.4 changelog - Updated prerequisite to require typhoon-sdk@^1.1.13 (was ^1.1.12). - Clarified in the account creation flow that account creation can take several minutes and users should wait during Typhoon proof generation and Starknet deployment.
v0.2.3
- Removed redundant lock files and package definition under scripts/, simplifying package management. - Added a consolidated package.json at the root for dependency tracking. - Updated documentation to include explicit npm install instructions for required packages (starknet and typhoon-sdk). - No user-facing behavior changes; these updates improve setup clarity and codebase maintainability.
v0.2.2
No significant code or SKILL.md changes; only documentation was updated. - Updated all script usage examples to use relative paths (e.g. `node scripts/<script>.js`) for improved portability and compatibility with different installation locations. - Added clear instructions noting skill directory structure and how to run scripts. - No changes to core workflow, scripts, or features.
v0.2.1
- Updated all script paths to use the absolute `$HOME/.openclaw/workspace/skills/typhoon-starknet-account/` directory instead of `~/Documents/typhoon-starknet-account/`. - No behavioral or feature changes to core scripts; this version strictly standardizes agent script references for compatibility.
v0.2.0
Version 0.2.0 - Added scripts for advanced signing and third-party interactions: `sign-typed-data.js`, `sign-invoke-tx.js`, and `starkbook-client.js`. - New script: `find-deploy-tx.js` for locating deploy transactions. - Expanded documentation with usage guidelines for signing typedData and unsigned INVOKE transactions, including SIWS and Starkbook flows. - Updated script reference table to include new tools for typedData and transaction signing.
v0.1.0
Initial release of typhoon-starknet-account. - Enables creation and management of Starknet accounts via Typhoon anonymous deployer. - Provides scripts for account creation, funding, and address display. - Supports discovering contract ABIs/functions and interacting with contracts (read/write). - Includes preflight tools for simulation and fee estimation. - Human-friendly allowance checks and token info decoding. - Detailed agent workflow outlined for account operations and contract interaction.
Metadata
Slug typhoon-starknet-account
Version 0.3.8
License
All-time Installs 1
Active Installs 1
Total Versions 16
Frequently Asked Questions

What is Typhoon Starknet Account?

Create an anonymous Starknet wallet via Typhoon and interact with Starknet contracts. Privacy-focused wallet creation for agents requiring anonymity. It is an AI Agent Skill for Claude Code / OpenClaw, with 2444 downloads so far.

How do I install Typhoon Starknet Account?

Run "/install typhoon-starknet-account" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Typhoon Starknet Account free?

Yes, Typhoon Starknet Account is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Typhoon Starknet Account support?

Typhoon Starknet Account is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Typhoon Starknet Account?

It is built and maintained by esdras-sena (@esdras-sena); the current version is v0.3.8.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments