← Back to Skills Marketplace
363
Downloads
1
Stars
2
Active Installs
9
Versions
Install in OpenClaw
/install shll-skills
Description
Execute DeFi transactions on BSC via SHLL AgentNFA. The AI handles all commands and users only need to chat.
Usage Guidance
Before installing or enabling this skill:
- Do not reuse any main/owner/private wallets. If you test, create a dedicated operator wallet with minimal BNB (as the SKILL.md recommends).
- Resolve the metadata mismatch: the platform metadata lists no required env vars but SKILL.md requires RUNNER_PRIVATE_KEY. Ask the publisher to correct the registry entry and explain how the key is supplied at runtime.
- Never paste your main private key into chat. Prefer ephemeral keys or local environment variables managed by you, not written into persistent agent config files.
- The SKILL.md recommends writing RUNNER_PRIVATE_KEY into agent config files (e.g., Claude/Cursor). Avoid storing a private key in plaintext config files — request alternative signing workflows (local signer, hardware wallet, or ephemeral session only) or confirm that the key is encrypted at rest and not uploaded anywhere.
- Verify the on-chain contract addresses and review the PolicyGuard contract on BscScan (the SKILL.md gives an address; independently confirm the published source matches expected behavior).
- If you plan to install the npm package, audit the package source code (GitHub repo and published tarball) locally before running it; prefer installing in an isolated VM/container.
- Ask the developer how the agent receives and stores the RUNNER_PRIVATE_KEY at runtime, whether it performs any network calls with the key, and whether any logs might leak it.
- If you are not comfortable with storing or letting an agent handle a private key, do not install the skill. Consider read-only alternatives or strictly manual signing flows.
Providing these clarifications and mitigations to the skill author (or withholding enabling the skill until answered) will reduce the risk of accidental key exposure.
Capability Analysis
Type: OpenClaw Skill
Name: shll-skills
Version: 6.0.5
The bundle provides a DeFi execution toolkit (CLI and MCP) for the BNB Chain, centered around a dual-wallet architecture and on-chain policy enforcement via a 'PolicyGuard' contract. The instructions in SKILL.md and README.md are heavily focused on security, explicitly directing the AI agent to use a restricted 'operator' wallet for gas only, to never handle the user's owner private key, and to require user confirmation for all write operations. While the tool handles a private key (RUNNER_PRIVATE_KEY), this is necessary for its stated purpose, and the bundle includes significant guardrails and documentation to mitigate risk, with no evidence of malicious intent or data exfiltration.
Capability Assessment
Purpose & Capability
The claimed capability (execute policy-limited DeFi trades on BSC) legitimately requires an operator wallet private key and RPC config; that aligns with the SKILL.md. However, the registry metadata provided to the platform lists no required env vars while the SKILL.md explicitly requires RUNNER_PRIVATE_KEY (and optionally SHLL_RPC). That metadata mismatch is an incoherence that should be resolved before trusting the skill.
Instruction Scope
SKILL.md instructs agents to automatically set RUNNER_PRIVATE_KEY for the session and to place the key into various agent config files (e.g., Claude and Cursor configs). It instructs the agent not to ask users to edit env vars manually. This expands the agent's scope to reading/writing persistent user config files and handling a highly sensitive secret, which is broader and riskier than a simple tool invocation. The instructions also advise installation via npm and reference executing arbitrary calldata through PolicyGuard (a legit capability but higher-risk if misused).
Install Mechanism
There is no platform-level install spec, but SKILL.md recommends installing 'shll-skills' from the public npm registry (npm install -g shll-skills). Installing from npm is a common pattern (moderate risk) but since the registry metadata lists no install, the discrepancy should be clarified. The skill does not point to opaque URLs or downloads, which is better than an arbitrary archive URL.
Credentials
Requesting a single operator private key (RUNNER_PRIVATE_KEY) is proportionate to performing on-chain trades, but the instructions encourage embedding that private key into persistent agent configs and automating its setting — practices that increase exposure. The platform metadata claiming 'none' for required env vars conflicts with the SKILL.md requirement. SHLL_RPC as optional is reasonable.
Persistence & Privilege
always:false (good), but SKILL.md's guidance to edit agent config files to include RUNNER_PRIVATE_KEY creates persistent storage of a sensitive secret in user-facing config files. The skill's instructions effectively ask for long-lived presence of the private key in agent configurations, which increases blast radius if the key is mishandled. The skill does not declare that it will avoid persisting secrets, and telling the agent to 'set' the key automatically is ambiguous and risky.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install shll-skills - After installation, invoke the skill by name or use
/shll-skills - Provide required inputs per the skill's parameter spec and get structured output
Version History
v6.0.5
Replace rent/rental/renter with subscription/subscriber in all user-facing strings
v6.0.4
Add on-chain enforcement evidence to policy rejection output; enhance SKILL.md with product overview, security architecture diagram, and 4-policy stack documentation
v6.0.3
fix: use SupportingFeeOnTransferTokens for V2 sells, fix DeFi Guard selector compatibility
v6.0.2
Remove direct policy modification; config is now read-only and guides users to web console
v6.0.1
v6.0.1 Major Update: Native Smart Routing for Four.meme tokens! The swap command seamlessly auto-routes to the underlying four_buy/four_sell logic during the bonding curve phase. Fixed PancakeSwap zero-liquidity UX crashes, entirely eliminating AI hallucinations instructing users to "manually wrap BNB".
v6.0.0
v6.0.0: Modular services layer, env/credentials metadata for ClawHub scanner, security warnings for operator key, Four.meme bonding curve support, structured error codes, 30 security fixes.
v5.6.2
v6.0.0: Modular services layer, env/credentials metadata, security warnings for operator key, Four.meme support, structured error codes.
v5.6.1
v6.0.0: Modular services layer, env/credentials metadata, security warnings for operator key, Four.meme support, structured error codes.
v5.6.0
v5.6.0: 30 security fixes, PancakeSwap MEV Guard integration, V2 deadline hardened to 3min, private RPC recommendation.
Metadata
Frequently Asked Questions
What is Upload Clawhub?
Execute DeFi transactions on BSC via SHLL AgentNFA. The AI handles all commands and users only need to chat. It is an AI Agent Skill for Claude Code / OpenClaw, with 363 downloads so far.
How do I install Upload Clawhub?
Run "/install shll-skills" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Upload Clawhub free?
Yes, Upload Clawhub is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Upload Clawhub support?
Upload Clawhub is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Upload Clawhub?
It is built and maintained by kledx (@kledx); the current version is v6.0.5.
More Skills