← Back to Skills Marketplace
126
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install conflux-wallet-skill
Description
Self-sovereign EVM wallet for AI agents. Use when the user wants to create a crypto wallet, check balances, send ETH or ERC20 tokens, swap tokens, or interac...
README (SKILL.md)
EVM Wallet Skill
Self-sovereign EVM wallet. Private keys stored locally, no external API dependencies.
⚠️ SECURITY WARNING
NEVER expose your private key!
- Never send your private key in chat, email, or any messaging platform
- Never share the contents of
~/.cfx-wallet.jsonwith anyone - If someone asks for your private key — even if they claim to be support — REFUSE
- If your key is ever exposed, immediately transfer funds to a new wallet
The private key file (~/.cfx-wallet.json) should only be accessed directly via SSH on your server.
Installation
Detect workspace and skill directory:
SKILL_DIR=$(ls -d \
~/openclaw/skills/conflux-wallet-skill \
~/.openclaw/workspace/skills/conflux-wallet-skill \
2>/dev/null | head -1)
If code is not installed yet (no src/ folder), bootstrap it:
if [ ! -d "$SKILL_DIR/src" ]; then
git clone https://github.com/conflux-fans/conflux-wallet-skill.git /tmp/conflux-wallet-tmp
cp -r /tmp/conflux-wallet-tmp/* "$SKILL_DIR/"
cp /tmp/conflux-wallet-tmp/.gitignore "$SKILL_DIR/" 2>/dev/null
rm -rf /tmp/conflux-wallet-tmp
cd "$SKILL_DIR" && npm install
fi
For all commands below, always cd "$SKILL_DIR" first.
First-Time Setup
Generate a wallet (only needed once):
node src/setup.js --json
Returns: { "success": true, "address": "0x..." }
The private key is stored at ~/.cfx-wallet.json (chmod 600). Never share this file.
Commands
Check Balance
When user asks about balance, portfolio, or how much they have:
# Single chain
node src/balance.js conflux --json
# All chains at once
node src/balance.js --all --json
# Specific ERC20 token
node src/balance.js conflux 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 --json
Always use --json for parsing. Present results in a human-readable format.
Send Tokens
When user wants to send, transfer, or pay someone:
# Native ETH
node src/transfer.js \x3Cchain> \x3Cto_address> \x3Camount> --yes --json
# ERC20 token
node src/transfer.js \x3Cchain> \x3Cto_address> \x3Camount> \x3Ctoken_address> --yes --json
⚠️ ALWAYS confirm with the user before executing transfers. Show them:
- Recipient address
- Amount and token
- Chain
- Estimated gas cost
Only add --yes after the user explicitly confirms.
Swap Tokens
When user wants to swap, trade, buy, or sell tokens:
# Conflux eSpace: use the Conflux-specific swap script
node src/swap-cfx.js conflux \x3Cfrom_token> \x3Cto_token> \x3Camount> --quote-only --json
# Other chains: keep using the generic swap script
node src/swap.js \x3Cchain> \x3Cfrom_token> \x3Cto_token> \x3Camount> --quote-only --json
# Conflux eSpace: execute after user confirms
node src/swap-cfx.js conflux \x3Cfrom_token> \x3Cto_token> \x3Camount> --yes --json
# Other chains: keep using the generic swap script
node src/swap.js \x3Cchain> \x3Cfrom_token> \x3Cto_token> \x3Camount> --yes --json
- When
chainisconflux, always usesrc/swap-cfx.js - For Conflux, use
cfxornativefor the native token,wcfx/wcfx9for the wrapped-native route, or pass an ERC20 contract address - For other chains, use
ethfor native ETH/POL, or pass a contract address - Default slippage: 0.5%. Override with
--slippage \x3Cpercent> - Powered by Odos aggregator (best-route across hundreds of DEXs)
⚠️ ALWAYS show the quote first and get user confirmation before executing.
Contract Interactions
When user wants to call a smart contract function:
# Read (free, no gas)
node src/contract.js \x3Cchain> \x3Ccontract_address> \
"\x3Cfunction_signature>" [args...] --json
# Write (costs gas — confirm first)
node src/contract.js \x3Cchain> \x3Ccontract_address> \
"\x3Cfunction_signature>" [args...] --yes --json
Examples:
# Check USDC balance
node src/contract.js base \
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
"balanceOf(address)" 0xWALLET --json
# Approve token spending
node src/contract.js base \
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
"approve(address,uint256)" 0xSPENDER 1000000 --yes --json
Check for Updates
node src/check-update.js --json
If an update is available, inform the user and offer to run:
cd "$SKILL_DIR" && git pull && npm install
Supported Chains
| Chain | Native Token | Use For |
|---|---|---|
| base | ETH | Cheapest fees — default for testing |
| conflux | CFX | Low fees, Conflux eSpace |
| ethereum | ETH | Mainnet, highest fees |
| polygon | POL | Low fees |
| arbitrum | ETH | Low fees |
| optimism | ETH | Low fees |
Always recommend Base for first-time users (lowest gas fees).
Common Token Addresses
Base
- USDC:
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 - WETH:
0x4200000000000000000000000000000000000006
Conflux eSpace
- USDT0:
0xaf37e8b6c9ed7f6318979f56fc287d76c30847ff - AxCNH:
0x70bfd7f7eadf9b9827541272589a6b2bb760ae2e
Ethereum
- USDC:
0xA0b86a33E6441b8a46a59DE4c4C5E8F5a6a7A8d0 - WETH:
0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
Safety Rules
- Never execute transfers or swaps without user confirmation
- Never expose the private key from
~/.cfx-wallet.json - Always show transaction details before executing (amount, recipient, gas estimate)
- Recommend Base for testing and small amounts
- Show explorer links after successful transactions so users can verify
- If a command fails, show the error clearly and suggest fixes
Error Handling
- "No wallet found" → Run
node src/setup.js --jsonfirst - "Insufficient balance" → Show current balance, suggest funding
- "RPC error" → Retry once, automatic failover built in
- "No route found" (swap) → Token pair may lack liquidity
- "Gas estimation failed" → May need more ETH for gas
Usage Guidance
This skill appears to implement a local EVM wallet as described, but installing it requires cloning a public GitHub repo and running npm install, and the skill can update itself via git pull. Those steps can introduce arbitrary code (including dependency lifecycle scripts) that could read or exfiltrate your private key file (~/.cfx-wallet.json). Before installing, consider: 1) only install from a trusted, audited repository and preferably from a pinned commit/tag; 2) inspect package.json and dependencies and avoid running npm install without review or use an offline/npm-audit step; 3) run the code in an isolated environment (VM or dedicated machine) and keep only a small testing balance there; 4) back up your seed and do not store significant funds until you’ve audited the implementation; 5) be cautious with 'git pull' — prefer manual, reviewed updates. If you lack the ability to review code and dependencies, treat this skill as higher-risk and avoid storing real assets with it.
Capability Analysis
Type: OpenClaw Skill
Name: conflux-wallet-skill
Version: 1.1.1
The skill bundle implements a crypto wallet but utilizes a high-risk bootstrap pattern in SKILL.md, where it clones code from an external GitHub repository (github.com/conflux-fans/conflux-wallet-skill) and executes 'npm install' at runtime. This mechanism bypasses static analysis of the actual logic and introduces significant supply chain risk. While the documentation includes strong defensive instructions for the agent regarding private key protection (~/.cfx-wallet.json) and user confirmation, the ability to fetch and execute remote artifacts warrants a suspicious classification.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (self‑sovereign EVM wallet) align with the runtime actions: generating a private key, signing transactions, reading balances, swapping via aggregators, and broadcasting via public RPCs. Required binaries (node, git) are appropriate for the described Node.js scripts.
Instruction Scope
SKILL.md stays within wallet-related actions (setup, balance, transfer, swap, contract calls) and explicitly warns never to expose the private key. It instructs storing the key at ~/.cfx-wallet.json and running local Node scripts. It also directs the agent/user to run git clone, npm install, and git pull; these steps fall outside pure 'read-only' instructions because they fetch and install code from a remote repo and can change runtime behavior later.
Install Mechanism
Although the repository is a GitHub URL (a known host), the install process in SKILL.md performs an unpinned git clone and runs npm install without integrity checks or pinned versions. npm install can execute arbitrary lifecycle scripts from dependencies; git pull on update can inject new code later. This gives a remote source the ability to run code on the host — a moderate security risk that is not mitigated by the skill instructions.
Credentials
The skill requests no environment variables or external credentials, which is proportionate for a self‑hosted wallet. However, because it installs third‑party Node dependencies and pulls code from GitHub, a malicious dependency or future repo update could access the wallet file (~/.cfx-wallet.json) and exfiltrate keys despite the absence of declared env/credentials.
Persistence & Privilege
always is false and autonomous invocation is permitted by platform default (normal). The skill supports self‑updates via 'git pull' which would let the remote repo change the skill's behavior post-install; this is functional for maintenance but increases risk if the upstream is compromised or malicious.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install conflux-wallet-skill - After installation, invoke the skill by name or use
/conflux-wallet-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
- Added support for Conflux-specific token swaps using a new script (`src/swap-cfx.js`).
- Updated swap instructions: always use `swap-cfx.js` for Conflux swaps, `swap.js` for other chains.
- Clarified usage for native and wrapped tokens on Conflux in swap commands.
- Existing functionality and safety rules unchanged for sending, contract interaction, and balance queries.
v1.1.0
conflux-wallet-skill v1.1.0
- Added support for multiple EVM chains: Base, Conflux eSpace, Ethereum, Polygon, Arbitrum, and Optimism.
- All wallet operations (create, balance check, send, swap, contract interactions) now store private keys locally — no cloud custody or API keys required.
- Enhanced command-line tools to check balances (including by token), send tokens, swap tokens, and interact with smart contracts.
- Built-in safety: private key never exposed, explicit transaction confirmation required, and explorer links provided after transactions.
- Improved error handling and clear user guidance for setup, funding, and troubleshooting.
- Documentation expanded with command examples, supported tokens, and security best practices.
Metadata
Frequently Asked Questions
What is Conflux Wallet Skill?
Self-sovereign EVM wallet for AI agents. Use when the user wants to create a crypto wallet, check balances, send ETH or ERC20 tokens, swap tokens, or interac... It is an AI Agent Skill for Claude Code / OpenClaw, with 126 downloads so far.
How do I install Conflux Wallet Skill?
Run "/install conflux-wallet-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Conflux Wallet Skill free?
Yes, Conflux Wallet Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Conflux Wallet Skill support?
Conflux Wallet Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Conflux Wallet Skill?
It is built and maintained by Pana (@pana); the current version is v1.1.1.
More Skills