← Back to Skills Marketplace
yoniassia

Goodwallet Trading

by Yoni · GitHub ↗ · v0.2.1 · MIT-0
cross-platform ⚠ suspicious
226
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install goodwallet-trading
Description
Blockchain trading tools extending GoodWallet MPC agentic wallets. Adds ERC20 transfers, token approvals, DEX swaps (Uniswap V2), arbitrary contract calls, b...
README (SKILL.md)

GoodWallet Trading

Extends the goodwallet skill with blockchain trading capabilities. All transactions are MPC-signed via the same Sodot threshold ECDSA signing service.

Prerequisite: The user must first authorize via the goodwallet skill (auth + pair). Credentials are shared via ~/.config/goodwallet/config.json.

All commands are run via npx [email protected].

Important: Do not share technical details (key types, signature formats, internal paths). Run commands and report outcomes in plain language.

Setup

If the user hasn't authorized yet, run the goodwallet auth flow first:

npx [email protected] auth
# Show the URL to the user, then immediately:
npx [email protected] pair

Once paired, all goodwallet-trading commands will work automatically.

Commands

balance — Check ETH and ERC20 balances

npx [email protected] balance
npx [email protected] balance --token \x3Cerc20-address>

erc20-send — Send ERC20 tokens

npx [email protected] erc20-send --to \x3Caddress> --amount \x3Camount> --token \x3Cerc20-address>
Flag Short Required Description
--to \x3Caddress> -t Yes Recipient address
--amount \x3Camount> -a Yes Amount (human-readable, e.g. 10.5)
--token \x3Caddress> Yes ERC20 token contract

approve — Approve token spending

npx [email protected] approve --token \x3Cerc20-address> --spender \x3Caddress>
npx [email protected] approve --token \x3Cerc20-address> --spender \x3Caddress> --amount 100

Without --amount, approves unlimited spending.

contract-call — Call any smart contract

The most powerful command — execute arbitrary contract calls with MPC signing.

npx [email protected] contract-call --to \x3Ccontract> --data \x3Ccalldata-hex>
npx [email protected] contract-call --to \x3Ccontract> --data \x3Ccalldata-hex> --value 0.1
Flag Required Description
--to \x3Caddress> Yes Contract address
--data \x3Chex> Yes Calldata (hex with 0x prefix)
--value \x3Cether> No ETH to send with call (default: 0)

swap — Uniswap V2 DEX swap

npx [email protected] swap --router \x3Crouter-address> --from-token ETH --to-token \x3Ctoken-address> --amount 0.1
npx [email protected] swap --router \x3Crouter-address> --from-token \x3Ctoken-a> --to-token \x3Ctoken-b> --amount 100
Flag Required Description
--router \x3Caddress> Yes Uniswap V2 router address
--from-token \x3Caddress|ETH> Yes Token to sell (or "ETH")
--to-token \x3Caddress|ETH> Yes Token to buy (or "ETH")
--amount \x3Camount> Yes Amount to swap
--slippage \x3Cpercent> No Slippage tolerance (default: 1%)

token-info — Get ERC20 token details

npx [email protected] token-info --token \x3Cerc20-address>

Returns: name, symbol, decimals, total supply, your balance.

allowance — Check approved spending

npx [email protected] allowance --token \x3Cerc20-address> --spender \x3Caddress>

Environment Variables

Variable Default Description
SIGN_URL sign.goodwallet.dev Signing service endpoint
RPC_URL Alchemy Hoodi endpoint Override RPC URL

Network

Currently configured for Hoodi testnet (chain ID 560048). Explorer: https://hoodi.etherscan.io/

File Locations

File Purpose
~/.config/goodwallet/config.json Shared credentials from goodwallet auth

Typical Workflow

# 1. Auth (if not already done)
npx [email protected] auth
npx [email protected] pair

# 2. Check balance
npx [email protected] balance

# 3. Send ERC20 tokens
npx [email protected] erc20-send --to 0x... --amount 10 --token 0x...

# 4. Approve DEX router
npx [email protected] approve --token 0x... --spender 0x...

# 5. Swap on DEX
npx [email protected] swap --router 0x... --from-token ETH --to-token 0x... --amount 0.1

# 6. Arbitrary contract call
npx [email protected] contract-call --to 0x... --data 0xabcdef... --value 0.05
Usage Guidance
This skill appears to implement exactly what it claims (MPC-signed wallet trading), but there are several red flags you should check before installing or using it: - Confirm the author/source: the registry lists no homepage and the owner is unknown. Verify the 'goodwallet' npm package origin and that the native module is legitimate. - The skill reads ~/.config/goodwallet/config.json for apiKey/share/address — make sure you trust the auth flow and that the file is only populated by the official goodwallet tool. The registry metadata should have declared this but did not. - The code posts to an external signing endpoint (SIGN_URL, default sign.goodwallet.dev) and uses a relay URL. Verify these endpoints are the real GoodWallet/Sodot services and not attacker-controlled. - The skill loads a native .node binary from the goodwallet package. Native modules can run arbitrary code on your machine; only proceed if the package and its binary are from a trusted source. - There is a hard-coded Alchemy RPC URL (with an API key) in the code — this is an embedded credential and indicates default testnet use; it doesn’t directly leak your keys but shows the package bundles secrets. Consider overriding RPC_URL or inspecting the package to understand limits of that key. - The skill supports arbitrary contract-call and token swaps; these actions can move funds. Always verify addresses, amounts, and outputs before approving or broadcasting transactions. If you need to proceed, prefer running this in an isolated environment or container, inspect the goodwallet npm package and native binary contents yourself, and confirm the sign/relay endpoints and package authorship. If you cannot validate those points, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill Name: goodwallet-trading Version: 0.2.1 The skill provides powerful blockchain trading tools, including a 'contract-call' command in index.js that allows the execution of arbitrary smart contract transactions, which could be used to drain assets if the agent is manipulated. It dynamically loads a native binary (libsodot_executor) from the 'goodwallet' dependency to perform MPC signing, introducing a significant supply-chain risk. Additionally, index.js contains a hardcoded Alchemy RPC API key, which is a security vulnerability. While these features are aligned with the stated purpose of a DeFi trading tool, the combination of arbitrary execution capabilities and native code loading warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill's stated purpose (ERC20 transfers, approvals, Uniswap V2 swaps, arbitrary contract calls signed via Sodot MPC) matches what the code implements: RPC calls, building transactions, and MPC signing via a native SDK. However the registry metadata omitted that the skill actually requires GoodWallet credentials stored at ~/.config/goodwallet/config.json and environment variables (SIGN_URL, RPC_URL) that the code reads — a mismatch between declared requirements and actual needs.
Instruction Scope
SKILL.md instructs the agent to run npx commands and to read/use ~/.config/goodwallet/config.json for credentials; the code indeed reads that file and posts signing requests to an external signing endpoint. The instructions also tell the agent not to reveal internal technical details, which reduces transparency. Reading the local config and contacting external sign/relay endpoints is necessary for MPC signing but was not declared in the registry metadata — this scope creep should be documented and verified.
Install Mechanism
No install spec in registry (instruction-only), but the package includes index.js and npm metadata. The code uses npx in instructions (downloads package at runtime) and requires the 'goodwallet' npm package and a native .node library from that package — loading native modules has higher risk than pure JS. There are no obscure download URLs, dependencies are from npm, but the native binary execution increases blast radius and should be verified as coming from the official goodwallet package.
Credentials
Registry declares no required env vars or config paths, yet the skill reads ~/.config/goodwallet/config.json (requires apiKey, share, address) and process.env.SIGN_URL / process.env.RPC_URL. The code also embeds a hard-coded Alchemy RPC URL (including an API key) as the default — an embedded credential. Requesting/using the user's GoodWallet API key/share is expected for signing, but the omission from metadata is a proportionality/documentation problem and a transparency/security concern.
Persistence & Privilege
The skill does not request always:true, does not claim system-wide persistence, and does not modify other skills' configs. It performs network calls and loads a native module but does not request elevated platform privileges in metadata.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install goodwallet-trading
  3. After installation, invoke the skill by name or use /goodwallet-trading
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Updated to goodwallet 0.2.0, verified compatibility with new auth/pair flow
v0.2.0
Updated for goodwallet 0.2.0 auth+pair flow. Added SKILL.md with full command docs.
v0.1.0
Initial release: ERC20 transfers, approvals, balance checks, DEX swaps, contract calls via MPC
Metadata
Slug goodwallet-trading
Version 0.2.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Goodwallet Trading?

Blockchain trading tools extending GoodWallet MPC agentic wallets. Adds ERC20 transfers, token approvals, DEX swaps (Uniswap V2), arbitrary contract calls, b... It is an AI Agent Skill for Claude Code / OpenClaw, with 226 downloads so far.

How do I install Goodwallet Trading?

Run "/install goodwallet-trading" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Goodwallet Trading free?

Yes, Goodwallet Trading is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Goodwallet Trading support?

Goodwallet Trading is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Goodwallet Trading?

It is built and maintained by Yoni (@yoniassia); the current version is v0.2.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments