← Back to Skills Marketplace
koshikraj

Zhentan

by koshikraj · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
186
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install zhentan
Description
Zhentan is your personal onchain security agent and co-signer. It monitors pending multisig transactions, screens them against behavioral patterns and securi...
Usage Guidance
This skill is coherently designed for a remote co-signer but hands a single secret to an external service (api.zhentan.me). Before installing: 1) Verify the operator (homepage, company, audits, and reputation). 2) Treat AGENT_SECRET as high‑privilege — don’t reuse it, ensure it can be rotated/revoked, and limit its scope if possible. 3) Prefer testing with a non-production Safe or tiny-value transactions first. 4) Ask for documentation: what exactly the secret authorizes, what logs/events are generated, how proofs of execution are provided, and whether the service returns verifiable on‑chain tx data. 5) If you cannot verify the service or the secret’s limits, do not provide your signing credentials — consider a self-hosted or audited alternative.
Capability Analysis
Type: OpenClaw Skill Name: zhentan Version: 1.0.2 The 'zhentan' skill acts as a security co-signer for blockchain transactions, interacting with a remote API at api.zhentan.me. While its stated purpose is security monitoring, the SKILL.md file contains multiple instructions for the AI agent to construct and execute shell commands (curl) using unsanitized user inputs (e.g., transaction IDs, Safe addresses, and Telegram user IDs). This creates a significant risk for shell command injection if the agent processes malicious input from a user. Additionally, the skill requires a sensitive AGENT_SECRET which is transmitted to the external domain, and while this is part of its functional design, the high-privilege nature of the tool combined with insecure command templates warrants caution.
Capability Assessment
Purpose & Capability
Name/description (onchain co-signer) align with the actions described in SKILL.md: the skill only needs to call an external API to approve/reject/execute Safe multisig transactions, and it requires curl and a secret to authenticate. However, provenance is unknown (no homepage, unverified owner) and the single AGENT_SECRET is presented as the authority to request executions — this is powerful and not explained in detail.
Instruction Scope
Runtime instructions stay within the stated purpose: they only call https://api.zhentan.me endpoints and read session context (origin.from) to build callerId. The instructions require embedding AGENT_SECRET in every request and instruct the agent to send transaction approvals and notifications. There is no instruction to read unrelated local files or other credentials. The SKILL.md lacks details about error handling, verifying server responses, or cryptographic assurances that the remote API actually performed signing.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk by the skill itself. Required binary is only curl, which is proportionate to making HTTP requests.
Credentials
Requires a single environment secret AGENT_SECRET as the primary credential. That is plausible for authenticating to a remote co-signer, but the skill provides no information about the scope, least privilege, rotation, or how that secret is minted. If AGENT_SECRET grants the ability to sign/execute on-chain transactions, it is a high‑value credential and deserves stronger justification and operational controls.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system configuration, and is user-invocable. Autonomous invocation (disable-model-invocation:false) is the platform default and is not in itself flagged, though combined with a high-privilege secret it increases risk.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install zhentan
  3. After installation, invoke the skill by name or use /zhentan
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Changes for multi-user - Removed dmScore
v1.0.1
**Summary:** Adds authenticated API requests and user identity tracking; removes deprecated script. - All API requests now require the AGENT_SECRET for authentication via the Authorization header. - Each request must include the Telegram caller’s user ID ("callerId": "telegram:<origin.from>") for auditability. - Replaced previous transaction execution flow (sign-and-execute.js) with a direct /execute API endpoint. - Required "node" runtime dependency removed; only curl and AGENT_SECRET environment variable are needed. - Documented updated request/response patterns and error handling across all interaction flows.
v1.0.0
Initial release of zhentan, your personal onchain security agent and co-signer. - Monitors pending multisig transactions, screens them with behavioral and external risk data, and auto-signs safe transactions. - Flags borderline or suspicious activity for manual review; blocks clearly risky transactions. - Provides owner commands via chat/Telegram to approve, reject, review, and analyze transactions. - Includes in-depth risk analysis tools and audit history for transactions and events. - Supports rules management and invoice detection/processing for streamlined transaction workflows. - Requires Node.js and curl; configurable via SERVER_URL environment variable.
Metadata
Slug zhentan
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Zhentan?

Zhentan is your personal onchain security agent and co-signer. It monitors pending multisig transactions, screens them against behavioral patterns and securi... It is an AI Agent Skill for Claude Code / OpenClaw, with 186 downloads so far.

How do I install Zhentan?

Run "/install zhentan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Zhentan free?

Yes, Zhentan is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Zhentan support?

Zhentan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Zhentan?

It is built and maintained by koshikraj (@koshikraj); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments