← Back to Skills Marketplace
Vincent - Agent Wallet
by
Chris Cassano
· GitHub ↗
· v1.0.0
1345
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install vincent
Description
Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction. Also supports raw signing and polymarket betting.
Usage Guidance
This skill appears to implement an agent-controlled wallet via a hosted API (heyvincent.ai). Before installing: (1) verify the publisher and service (no source/homepage provided here); (2) confirm you trust heyvincent.ai to custody private keys and to act on the agent's behalf; (3) insist that the registry metadata be updated to declare the required API key/primary credential so the platform can surface and protect it; (4) store any API keys securely (avoid world-readable locations) and prefer per-agent, least-privilege API keys and strict spending policies; (5) test with minimal funds and monitor transactions; (6) if you cannot validate the service or the publisher, do not provide real funds or long‑lived credentials.
Capability Analysis
Type: OpenClaw Skill
Name: vincent
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities and potential prompt injection vectors, despite its stated benign purpose. The `SKILL.md` file instructs the agent to store and retrieve API keys from specific file system paths (`~/.openclaw/credentials/agentwallet/` or `agentwallet/`), indicating file system read/write access. More critically, it explicitly instructs the agent to accept a user-provided `relinkToken` and use it directly in an unauthenticated API call to `https://heyvincent.ai/api/secrets/relink` to obtain a new API key. This creates a direct prompt injection surface where user input is treated as a sensitive authorization token, allowing a malicious user to potentially trick the agent into misusing the recovery mechanism. The skill also involves high-risk financial transactions (transfers, swaps, betting) via API calls to `https://heyvincent.ai`.
Capability Assessment
Purpose & Capability
The SKILL.md clearly requires an API key (Bearer token) to create and operate wallets on heyvincent.ai; however the registry metadata lists no primary credential or required env vars. That is inconsistent: the skill cannot function as documented without a secret but the package does not declare or surface that requirement. Also there is no source/homepage provided for the publisher, making it harder to validate.
Instruction Scope
The runtime instructions are narrowly focused on wallet operations (create wallet, get balances, transfer, swap, raw signing, polymarket betting). They explicitly instruct storing and using an API key (paths such as ~/.openclaw/credentials/agentwallet/<API_KEY_ID>.json or ./agentwallet/...), and describe interactions with a remote API (heyvincent.ai). They do not instruct reading unrelated system files, but they do instruct where to persist credentials which can increase risk if the files are accessible to other components.
Install Mechanism
Instruction-only skill with no install spec and no code files — low install risk. However it relies on outbound network calls to a third‑party domain (heyvincent.ai), which is expected for a hosted wallet service but should be verified by the user.
Credentials
Although the skill requires an API key to operate, the metadata declares no required environment variables or primary credential. That omission is disproportionate and problematic: the skill will expect and use a secret, but the platform won't prompt for or label it. The SKILL.md also recommends specific storage paths for credentials, which could be sensitive if other skills or processes can access them.
Persistence & Privilege
The skill does not request always:true and has typical autonomous-invocation defaults. That is normal. Note: if you grant the skill (or the agent) the API key, it can autonomously initiate transfers within the wallet's policy — so giving the key is effectively granting on‑chain transaction capability.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install vincent - After installation, invoke the skill by name or use
/vincent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Vincent 1.0.0 – Initial Release
- Provides secure wallets for agents supporting transfers, swaps, EVM chain transactions, raw signing, and Polymarket betting.
- Ensures the agent never accesses the private key; all transactions are server-side, controlled by owner-set policies.
- Offers multiple wallet types: EVM_WALLET, RAW_SIGNER, and POLYMARKET_WALLET, each optimized for specific use cases.
- Allows owners to configure policies for address, token, function allowlists, and spending limits.
- Includes REST API endpoints for creating wallets, checking balances, transferring tokens, swapping, executing arbitrary transactions, and API key recovery.
- Comprehensive documentation for setup, usage, and recovery is provided.
Metadata
Frequently Asked Questions
What is Vincent - Agent Wallet?
Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction. Also supports raw signing and polymarket betting. It is an AI Agent Skill for Claude Code / OpenClaw, with 1345 downloads so far.
How do I install Vincent - Agent Wallet?
Run "/install vincent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Vincent - Agent Wallet free?
Yes, Vincent - Agent Wallet is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Vincent - Agent Wallet support?
Vincent - Agent Wallet is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Vincent - Agent Wallet?
It is built and maintained by Chris Cassano (@glitch003); the current version is v1.0.0.
More Skills