← Back to Skills Marketplace

Golden Claw

Name: Golden Claw
Author: goldenclaworg

by GoldenClawOrg · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

653

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install goldenclaw

Description

Manage GoldenClaw (GCLAW) on Solana. Create wallet, claim from faucet, check balance, send tokens, view history. For OpenClaw AI agents.

README (SKILL.md)

GoldenClaw (GCLAW) Skill

Solana SPL token skill for OpenClaw: wallet, faucet claims, and agent-to-agent transfers in GCLAW.

Installation

Extract the skill to your skills/ folder
Run npm run build in the skill directory (dependencies are installed automatically when the skill runs if missing)

Commands

gclaw setup – Create encrypted wallet
gclaw claim – Claim GCLAW from faucet (goldenclaw.org)
gclaw balance – GCLAW and SOL balance
gclaw address – Your wallet address
gclaw send \x3Camount> \x3Caddress> – Send GCLAW to another agent
gclaw donate \x3CSOL> – Donate SOL to main wallet (treasury)
gclaw history – Transaction history
gclaw limits – Spending limits
gclaw tokenomics – Distribution stats

Links

Usage Guidance

This skill appears to do what it says: manage a GCLAW Solana wallet, claim and send tokens, and keep local state. Before installing or using with real funds: - Inspect the compiled wallet.js and related dist files (or run the repo through a reviewer) to confirm there is no unexpected behavior reading/writing files outside its data directory. - Note that on first run the skill will run 'npm install' in the skill directory (execSync). That downloads/compiles dependencies (e.g., argon2). If you prefer, run npm install yourself in a sandboxed environment before enabling the skill. - Confirm OPENCLAW_DATA_DIR location (defaults to HOME/.openclaw) or set it to a directory you control; review and backup the 24-word seed phrase when creating a wallet. - For testing, point SOLANA_RPC_URL to devnet instead of mainnet and avoid funding the wallet until you are confident in the code. - Treat the donation address and faucet URLs as external trust decisions; verify the project/website independently if you plan to interact financially. If you want higher assurance, request the un-minified source (TypeScript) or a security audit of wallet.js and any decryption routines before placing real assets under this skill.

Capability Analysis

Type: OpenClaw Skill Name: goldenclaw Version: 1.0.0 The skill is classified as suspicious due to the use of `child_process_1.execSync('npm install')` in `dist/index.js`. This dynamically executes `npm install` at runtime if `node_modules` is missing, which is a significant supply chain risk and a potential Remote Code Execution (RCE) vulnerability. While the current `package.json` dependencies appear benign, this mechanism allows for arbitrary code execution if the `package.json` file or any of its dependencies in the npm registry were compromised. This is a critical vulnerability that *allows* attacks, rather than code *designed* to attack, hence the 'suspicious' classification. Other aspects, such as wallet management and network interactions, appear to follow good security practices and align with the stated purpose.

Capability Assessment

✓ Purpose & Capability

The name/description (manage GCLAW on Solana: create wallet, claim, check balance, send tokens, view history) matches the included JS modules (wallet, balance, transactions, distribution, onchain-client). Optional env vars advertised (RPC URL, faucet URL, data dir, limits) align with functionality. The package description's phrasing about 'exchange services like API tokens and AI compute' is marketing/contextual but does not contradict the implemented wallet/distribution features.

ℹ Instruction Scope

SKILL.md and README instruct extracting the bundle and running npm build/install; the runtime entrypoint (dist/index.js) will automatically exec 'npm install' if node_modules is missing. The code reads/writes wallet and distribution state files under OPENCLAW_DATA_DIR (or user HOME/.openclaw by default) and interacts with Solana RPC and the configured faucet URL. There are no instructions that read unrelated system files or request unrelated credentials, but the skill will create and store encrypted wallet files and local JSON state (claimed-addresses, distribution-state, spending tracker) which is expected for this functionality.

ℹ Install Mechanism

There is no formal install spec in the registry metadata; however, dist/index.js will run 'npm install' via child_process.execSync at startup if dependencies are missing. This triggers network fetch and native builds (e.g., argon2 may compile). The packages are standard (solana/web3, spl-token, bip39, argon2, bs58) and are declared in package.json — this is coherent but increases runtime risk compared to an instruction-only skill because it performs package install operations at runtime.

✓ Credentials

The skill declares no required environment variables in the registry metadata. The README documents optional, sensible vars (GCLAW_TOKEN_MINT, SOLANA_RPC_URL, GCLAW_FAUCET_URL, OPENCLAW_DATA_DIR, donation address, and limits) that match the code's use. No unrelated cloud credentials or broad secrets are requested. The skill does rely on a runtime password from the user to decrypt the wallet (expected).

✓ Persistence & Privilege

The skill stores its own wallet and state files under an application-specific directory (OPENCLAW_DATA_DIR or HOME/.openclaw/gclaw-wallet). always is false and it does not request elevated or system-wide changes. It does not modify other skills' configurations. Autonomous invocation is allowed by default (not flagged on its own).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install goldenclaw
After installation, invoke the skill by name or use /goldenclaw
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

GoldenClaw (GCLAW) skill for Solana now available for OpenClaw AI agents. - Create an encrypted wallet and manage GCLAW tokens on Solana. - Claim GCLAW from the official faucet, view balances, transaction history, and spending limits. - Send and receive GCLAW tokens agent-to-agent, with easy access to address and donation options. - Provides commands for wallet setup, sending, claiming, checking balances, and tokenomics. - Includes full documentation and helpful links for faucet, website, token info, and social media.

Metadata

Slug goldenclaw

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Golden Claw?

Manage GoldenClaw (GCLAW) on Solana. Create wallet, claim from faucet, check balance, send tokens, view history. For OpenClaw AI agents. It is an AI Agent Skill for Claude Code / OpenClaw, with 653 downloads so far.

How do I install Golden Claw?

Run "/install goldenclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Golden Claw free?

Yes, Golden Claw is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Golden Claw support?

Golden Claw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Golden Claw?

It is built and maintained by GoldenClawOrg (@goldenclaworg); the current version is v1.0.0.

More Skills