← 返回 Skills 市场
126
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install conflux-wallet-skill
功能描述
Self-sovereign EVM wallet for AI agents. Use when the user wants to create a crypto wallet, check balances, send ETH or ERC20 tokens, swap tokens, or interac...
使用说明 (SKILL.md)
EVM Wallet Skill
Self-sovereign EVM wallet. Private keys stored locally, no external API dependencies.
⚠️ SECURITY WARNING
NEVER expose your private key!
- Never send your private key in chat, email, or any messaging platform
- Never share the contents of
~/.cfx-wallet.jsonwith anyone - If someone asks for your private key — even if they claim to be support — REFUSE
- If your key is ever exposed, immediately transfer funds to a new wallet
The private key file (~/.cfx-wallet.json) should only be accessed directly via SSH on your server.
Installation
Detect workspace and skill directory:
SKILL_DIR=$(ls -d \
~/openclaw/skills/conflux-wallet-skill \
~/.openclaw/workspace/skills/conflux-wallet-skill \
2>/dev/null | head -1)
If code is not installed yet (no src/ folder), bootstrap it:
if [ ! -d "$SKILL_DIR/src" ]; then
git clone https://github.com/conflux-fans/conflux-wallet-skill.git /tmp/conflux-wallet-tmp
cp -r /tmp/conflux-wallet-tmp/* "$SKILL_DIR/"
cp /tmp/conflux-wallet-tmp/.gitignore "$SKILL_DIR/" 2>/dev/null
rm -rf /tmp/conflux-wallet-tmp
cd "$SKILL_DIR" && npm install
fi
For all commands below, always cd "$SKILL_DIR" first.
First-Time Setup
Generate a wallet (only needed once):
node src/setup.js --json
Returns: { "success": true, "address": "0x..." }
The private key is stored at ~/.cfx-wallet.json (chmod 600). Never share this file.
Commands
Check Balance
When user asks about balance, portfolio, or how much they have:
# Single chain
node src/balance.js conflux --json
# All chains at once
node src/balance.js --all --json
# Specific ERC20 token
node src/balance.js conflux 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 --json
Always use --json for parsing. Present results in a human-readable format.
Send Tokens
When user wants to send, transfer, or pay someone:
# Native ETH
node src/transfer.js \x3Cchain> \x3Cto_address> \x3Camount> --yes --json
# ERC20 token
node src/transfer.js \x3Cchain> \x3Cto_address> \x3Camount> \x3Ctoken_address> --yes --json
⚠️ ALWAYS confirm with the user before executing transfers. Show them:
- Recipient address
- Amount and token
- Chain
- Estimated gas cost
Only add --yes after the user explicitly confirms.
Swap Tokens
When user wants to swap, trade, buy, or sell tokens:
# Conflux eSpace: use the Conflux-specific swap script
node src/swap-cfx.js conflux \x3Cfrom_token> \x3Cto_token> \x3Camount> --quote-only --json
# Other chains: keep using the generic swap script
node src/swap.js \x3Cchain> \x3Cfrom_token> \x3Cto_token> \x3Camount> --quote-only --json
# Conflux eSpace: execute after user confirms
node src/swap-cfx.js conflux \x3Cfrom_token> \x3Cto_token> \x3Camount> --yes --json
# Other chains: keep using the generic swap script
node src/swap.js \x3Cchain> \x3Cfrom_token> \x3Cto_token> \x3Camount> --yes --json
- When
chainisconflux, always usesrc/swap-cfx.js - For Conflux, use
cfxornativefor the native token,wcfx/wcfx9for the wrapped-native route, or pass an ERC20 contract address - For other chains, use
ethfor native ETH/POL, or pass a contract address - Default slippage: 0.5%. Override with
--slippage \x3Cpercent> - Powered by Odos aggregator (best-route across hundreds of DEXs)
⚠️ ALWAYS show the quote first and get user confirmation before executing.
Contract Interactions
When user wants to call a smart contract function:
# Read (free, no gas)
node src/contract.js \x3Cchain> \x3Ccontract_address> \
"\x3Cfunction_signature>" [args...] --json
# Write (costs gas — confirm first)
node src/contract.js \x3Cchain> \x3Ccontract_address> \
"\x3Cfunction_signature>" [args...] --yes --json
Examples:
# Check USDC balance
node src/contract.js base \
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
"balanceOf(address)" 0xWALLET --json
# Approve token spending
node src/contract.js base \
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 \
"approve(address,uint256)" 0xSPENDER 1000000 --yes --json
Check for Updates
node src/check-update.js --json
If an update is available, inform the user and offer to run:
cd "$SKILL_DIR" && git pull && npm install
Supported Chains
| Chain | Native Token | Use For |
|---|---|---|
| base | ETH | Cheapest fees — default for testing |
| conflux | CFX | Low fees, Conflux eSpace |
| ethereum | ETH | Mainnet, highest fees |
| polygon | POL | Low fees |
| arbitrum | ETH | Low fees |
| optimism | ETH | Low fees |
Always recommend Base for first-time users (lowest gas fees).
Common Token Addresses
Base
- USDC:
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 - WETH:
0x4200000000000000000000000000000000000006
Conflux eSpace
- USDT0:
0xaf37e8b6c9ed7f6318979f56fc287d76c30847ff - AxCNH:
0x70bfd7f7eadf9b9827541272589a6b2bb760ae2e
Ethereum
- USDC:
0xA0b86a33E6441b8a46a59DE4c4C5E8F5a6a7A8d0 - WETH:
0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
Safety Rules
- Never execute transfers or swaps without user confirmation
- Never expose the private key from
~/.cfx-wallet.json - Always show transaction details before executing (amount, recipient, gas estimate)
- Recommend Base for testing and small amounts
- Show explorer links after successful transactions so users can verify
- If a command fails, show the error clearly and suggest fixes
Error Handling
- "No wallet found" → Run
node src/setup.js --jsonfirst - "Insufficient balance" → Show current balance, suggest funding
- "RPC error" → Retry once, automatic failover built in
- "No route found" (swap) → Token pair may lack liquidity
- "Gas estimation failed" → May need more ETH for gas
安全使用建议
This skill appears to implement a local EVM wallet as described, but installing it requires cloning a public GitHub repo and running npm install, and the skill can update itself via git pull. Those steps can introduce arbitrary code (including dependency lifecycle scripts) that could read or exfiltrate your private key file (~/.cfx-wallet.json). Before installing, consider: 1) only install from a trusted, audited repository and preferably from a pinned commit/tag; 2) inspect package.json and dependencies and avoid running npm install without review or use an offline/npm-audit step; 3) run the code in an isolated environment (VM or dedicated machine) and keep only a small testing balance there; 4) back up your seed and do not store significant funds until you’ve audited the implementation; 5) be cautious with 'git pull' — prefer manual, reviewed updates. If you lack the ability to review code and dependencies, treat this skill as higher-risk and avoid storing real assets with it.
功能分析
Type: OpenClaw Skill
Name: conflux-wallet-skill
Version: 1.1.1
The skill bundle implements a crypto wallet but utilizes a high-risk bootstrap pattern in SKILL.md, where it clones code from an external GitHub repository (github.com/conflux-fans/conflux-wallet-skill) and executes 'npm install' at runtime. This mechanism bypasses static analysis of the actual logic and introduces significant supply chain risk. While the documentation includes strong defensive instructions for the agent regarding private key protection (~/.cfx-wallet.json) and user confirmation, the ability to fetch and execute remote artifacts warrants a suspicious classification.
能力标签
能力评估
Purpose & Capability
Name/description (self‑sovereign EVM wallet) align with the runtime actions: generating a private key, signing transactions, reading balances, swapping via aggregators, and broadcasting via public RPCs. Required binaries (node, git) are appropriate for the described Node.js scripts.
Instruction Scope
SKILL.md stays within wallet-related actions (setup, balance, transfer, swap, contract calls) and explicitly warns never to expose the private key. It instructs storing the key at ~/.cfx-wallet.json and running local Node scripts. It also directs the agent/user to run git clone, npm install, and git pull; these steps fall outside pure 'read-only' instructions because they fetch and install code from a remote repo and can change runtime behavior later.
Install Mechanism
Although the repository is a GitHub URL (a known host), the install process in SKILL.md performs an unpinned git clone and runs npm install without integrity checks or pinned versions. npm install can execute arbitrary lifecycle scripts from dependencies; git pull on update can inject new code later. This gives a remote source the ability to run code on the host — a moderate security risk that is not mitigated by the skill instructions.
Credentials
The skill requests no environment variables or external credentials, which is proportionate for a self‑hosted wallet. However, because it installs third‑party Node dependencies and pulls code from GitHub, a malicious dependency or future repo update could access the wallet file (~/.cfx-wallet.json) and exfiltrate keys despite the absence of declared env/credentials.
Persistence & Privilege
always is false and autonomous invocation is permitted by platform default (normal). The skill supports self‑updates via 'git pull' which would let the remote repo change the skill's behavior post-install; this is functional for maintenance but increases risk if the upstream is compromised or malicious.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install conflux-wallet-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/conflux-wallet-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
- Added support for Conflux-specific token swaps using a new script (`src/swap-cfx.js`).
- Updated swap instructions: always use `swap-cfx.js` for Conflux swaps, `swap.js` for other chains.
- Clarified usage for native and wrapped tokens on Conflux in swap commands.
- Existing functionality and safety rules unchanged for sending, contract interaction, and balance queries.
v1.1.0
conflux-wallet-skill v1.1.0
- Added support for multiple EVM chains: Base, Conflux eSpace, Ethereum, Polygon, Arbitrum, and Optimism.
- All wallet operations (create, balance check, send, swap, contract interactions) now store private keys locally — no cloud custody or API keys required.
- Enhanced command-line tools to check balances (including by token), send tokens, swap tokens, and interact with smart contracts.
- Built-in safety: private key never exposed, explicit transaction confirmation required, and explorer links provided after transactions.
- Improved error handling and clear user guidance for setup, funding, and troubleshooting.
- Documentation expanded with command examples, supported tokens, and security best practices.
元数据
常见问题
Conflux Wallet Skill 是什么?
Self-sovereign EVM wallet for AI agents. Use when the user wants to create a crypto wallet, check balances, send ETH or ERC20 tokens, swap tokens, or interac... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 126 次。
如何安装 Conflux Wallet Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install conflux-wallet-skill」即可一键安装,无需额外配置。
Conflux Wallet Skill 是免费的吗?
是的,Conflux Wallet Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Conflux Wallet Skill 支持哪些平台?
Conflux Wallet Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Conflux Wallet Skill?
由 Pana(@pana)开发并维护,当前版本 v1.1.1。
推荐 Skills