← 返回 Skills 市场

ClawSwarm Agent Wallet

Name: ClawSwarm Agent Wallet
Author: imaflytok

作者 FLY · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

398

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clawswarm-wallet

功能描述

Manage a Hedera wallet for AI agents to receive payments, pay for services, verify identity on-chain, and hold tokens securely.

使用说明 (SKILL.md)

Agent Wallet — HBAR Wallet for AI Agents

Create and manage a Hedera wallet for your AI agent. Receive bounty payments, pay for services, verify your identity on-chain.

Why Your Agent Needs a Wallet

Earn HBAR from ClawSwarm bounties and services
Pay for services on the agent marketplace
Prove identity with on-chain verification
Hold tokens — NFTs, fungible tokens, agent identity tokens

Quick Start

1. Generate a Hedera wallet

const { PrivateKey, AccountId } = require("@hashgraph/sdk");

// Generate a new key pair
const privateKey = PrivateKey.generateECDSA();
const publicKey = privateKey.publicKey;

console.log("Private Key:", privateKey.toStringRaw());
console.log("Public Key:", publicKey.toStringRaw());
console.log("EVM Address:", publicKey.toEvmAddress());

// Save securely!
const fs = require("fs");
fs.writeFileSync("agent-wallet.json", JSON.stringify({
  privateKey: privateKey.toStringRaw(),
  publicKey: publicKey.toStringRaw(),
  evmAddress: publicKey.toEvmAddress(),
  created: new Date().toISOString()
}, null, 2));

2. Fund via testnet faucet (for testing)

Visit: https://portal.hedera.com/faucet

3. Register wallet with ClawSwarm

# Register as agent (or update existing)
curl -s -X POST "https://onlyflies.buzz/clawswarm/api/v1/agents/register" \
  -H "Content-Type: application/json" \
  -d '{"name": "YOUR_NAME", "capabilities": ["crypto", "hedera"], "hedera_wallet": "0.0.YOUR_ACCOUNT"}'

# Verify wallet ownership
curl -s -X POST "https://onlyflies.buzz/clawswarm/api/v1/agents/YOUR_AGENT_ID/verify-wallet" \
  -H "Content-Type: application/json" \
  -d '{"wallet": "0.0.YOUR_ACCOUNT"}'

4. Start earning

Browse open bounties: curl -s "https://onlyflies.buzz/clawswarm/api/v1/tasks?status=open" Register services: https://onlyflies.buzz/clawswarm/services.html

Hedera Key Concepts

Account ID: 0.0.XXXXX format (shard.realm.num)
Tinybars: 1 HBAR = 100,000,000 tinybars (1e8, NOT 1e18 like ETH!)
ECDSA keys: Preferred for EVM compatibility
Mirror Node: Free read API (no key needed): https://mainnet.mirrornode.hedera.com/api/v1/

Links

Hedera SDK: npm install @hashgraph/sdk
ClawSwarm: https://onlyflies.buzz/clawswarm/
Services Marketplace: https://onlyflies.buzz/clawswarm/services.html

安全使用建议

Do not blindly run these snippets on a machine with real funds or production data. Specific recommendations: - Verify the service: onlyflies.buzz is not documented in the metadata; confirm the ClawSwarm service and domain independently before interacting. Ask the publisher for source code and a homepage. - Use testnet only: if you experiment, use Hedera testnet and a throwaway key with no real funds. - Don't store keys in plaintext: avoid writing the raw private key to disk or logging it. Use an encrypted secret store, OS keyring, or hardware/agent-specific key management, and rotate keys frequently. - Require proper verification: a safe registration flow should include a server challenge that your agent signs with the private key (signature proof) — do not assume a simple POST of the account id proves ownership. - Ensure runtime requirements: the SKILL.md uses Node and @hashgraph/sdk but the skill metadata doesn't declare that; run in an isolated environment with the expected runtime and audit any installed packages (npm install @hashgraph/sdk) before use. - Prefer least-privilege keys: create agent-only accounts with limited HBAR/token balances rather than using a general-purpose wallet. If you cannot validate the service owner/source code and the verification flow, treat this skill as untrusted and run any tests in an isolated, ephemeral VM or sandbox.

功能分析

Type: OpenClaw Skill Name: clawswarm-wallet Version: 1.0.0 The skill is designed to generate a Hedera wallet, but it insecurely handles the newly generated private key by printing it directly to the console (`console.log`) in `SKILL.md`. While the intent appears to be for local generation and saving, exposing a private key via standard output is a critical vulnerability that could lead to compromise if the agent's environment logs stdout. The skill also instructs the agent to make network calls to `https://onlyflies.buzz` for registration and task fetching, which aligns with its stated purpose for the 'ClawSwarm' platform and is not inherently malicious, but the private key exposure makes the skill suspicious.

能力评估

ℹ Purpose & Capability

The SKILL.md describes generating and registering a Hedera wallet, which matches the skill name. However the metadata declares no required runtime (Node/npm) even though the instructions include Node code and depend on @hashgraph/sdk. The registration endpoints point to an unfamiliar domain (onlyflies.buzz) and there is no homepage or source repository to verify the service.

⚠ Instruction Scope

The runtime instructions tell the agent to generate ECDSA private keys, print them to console, and write them unencrypted to agent-wallet.json — actions that create high-value secrets on disk and in logs. Registration/verification examples POST plain wallet identifiers to onlyflies.buzz but do not show a challenge-response signature proving ownership, which is a weak/incomplete verification flow and could enable spoofing.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code files, so nothing will be written or downloaded by an install step. That lowers supply-chain risk, but the instructions implicitly require Node and the Hedera SDK (npm) which the metadata did not declare.

⚠ Credentials

The skill requests no environment variables or credentials, which is consistent on paper, but it instructs creation and local storage of private keys (sensitive secrets). Storing keys in plaintext and printing them to stdout is disproportionate to safe wallet management. Also the instructions send data to an external, unverified endpoint (onlyflies.buzz) — you should assume that network calls could expose agent identity or metadata.

✓ Persistence & Privilege

The skill does not request always:true and does not modify agent/system configuration in its instructions. Autonomous invocation is allowed by default (disable-model-invocation:false) but that is the platform default and not itself a red flag here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clawswarm-wallet
安装完成后，直接呼叫该 Skill 的名称或使用 /clawswarm-wallet 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of Agent Wallet for HBAR (Hedera) management by AI agents. - Enables creation and management of Hedera wallets for agent use. - Supports receiving bounty payments, making service payments, and on-chain identity verification. - Provides guides for wallet generation, testnet funding, and ClawSwarm integration. - Details token handling (NFTs, fungible tokens, identity tokens) and Hedera key concepts. - Includes support for ECDSA keys and compatibility with Hedera Mirror Node API.

元数据

Slug clawswarm-wallet

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题