Gator CLI

Name: Gator CLI
Author: ayushbherwani1998

功能描述

Use when you need to operate the @metamask/gator-cli to initialize profiles, upgrade EOA to EIP-7702, grant, redeem, and revoke ERC-7710 delegations, or insp...

使用说明 (SKILL.md)

Quick Reference

Use this skill to run the gator CLI from the repo and to choose the correct command/flags for delegation workflows.

Installation

npm install -g @metamask/gator-cli

CLI Overview

Binary name: gator
Default profile: default
Config path: ~/.gator-cli/permissions.json (or ~/.gator-cli/profiles/\x3Cprofile-name>.json)
Delegations local cache: ~/.gator-cli/delegations/\x3Cprofile-name>.json when storage not configured

Configuration Requirements

Edit the profile config after gator init:

{
  "delegationStorage": {
    "apiKey": "your-api-key",
    "apiKeyId": "your-api-key-id"
  },
  "rpcUrl": "https://your-rpc-url.com"
}

delegationStorage is optional; when missing, delegations are stored locally.
rpcUrl is required for on-chain actions.

Commands

init

Generate a private key and save config. Errors if the profile already exists.

gator init [--chain \x3Cchain>] [--profile \x3Cprofile-name>]
--chain values: base (default), baseSepolia, sepolia
--profile default: default
Prints: address, chain, and config file path.

create

Upgrade an EOA to an EIP-7702 smart account. Uses the chain in your profile config.

gator create [--profile \x3Cprofile-name>]
Requires the account to be funded with native token first.
Prints: address, chain, and the upgrade transaction hash.

show

Display the EOA address for a profile.

gator show [--profile \x3Cprofile-name>]

status

Check config and on-chain account status.

gator status [--profile \x3Cprofile-name>]
Prints: address, chain, config upgrade status, on-chain code presence, storage and RPC URL config.

balance

Show native balance and optional ERC-20 balance.

gator balance [--tokenAddress \x3Caddress>] [--profile \x3Cprofile-name>]
If --tokenAddress is provided, prints ERC-20 balance and decimals-derived units.

grant

Create, sign, and store a delegation with a predefined scope.

gator grant --to \x3Cto-address> --scope \x3Ctype> [scope flags] [--profile \x3Cprofile-name>]

Scope flags:

Token scopes: --tokenAddress \x3Ctoken-address>, --maxAmount \x3Camount>, --tokenId \x3Cid>
Periodic scopes: --periodAmount \x3Camount>, --periodDuration \x3Cseconds>, --startDate \x3Ctimestamp>
Streaming scopes: --amountPerSecond \x3Camount>, --initialAmount \x3Camount>, --startTime \x3Ctimestamp>
Function call scope: --targets \x3Caddresses>, --selectors \x3Csigs>, --valueLte \x3Cether>
Ownership transfer: --contractAddress \x3Ccontract-address>

Supported scopes:

erc20TransferAmount
erc20PeriodTransfer
erc20Streaming
erc721Transfer
nativeTokenTransferAmount
nativeTokenPeriodTransfer
nativeTokenStreaming
functionCall
ownershipTransfer

Grant flags per scope:

Scope	Required Flags	Optional Flags
`erc20TransferAmount`	`--tokenAddress`, `--maxAmount`
`erc20PeriodTransfer`	`--tokenAddress`, `--periodAmount`, `--periodDuration`	`--startDate`
`erc20Streaming`	`--tokenAddress`, `--amountPerSecond`, `--initialAmount`, `--maxAmount`	`--startTime`
`erc721Transfer`	`--tokenAddress`, `--tokenId`
`nativeTokenTransferAmount`	`--maxAmount`
`nativeTokenPeriodTransfer`	`--periodAmount`, `--periodDuration`	`--startDate`
`nativeTokenStreaming`	`--amountPerSecond`, `--initialAmount`, `--maxAmount`	`--startTime`
`functionCall`	`--targets`, `--selectors`	`--valueLte`
`ownershipTransfer`	`--contractAddress`

--startDate and --startTime default to the current time (unix seconds) when omitted.
--valueLte sets the max native token value per call for functionCall scopes.

redeem

Redeem a stored delegation using a specific action type.

gator redeem --from \x3Cfrom-address> --action \x3Ctype> [action flags] [--profile \x3Cprofile-name>]

Supported action types: erc20Transfer, erc721Transfer, nativeTransfer, functionCall, ownershipTransfer, raw

Action-specific flags:

erc20Transfer: --tokenAddress, --to, --amount
erc721Transfer: --tokenAddress, --to, --tokenId
nativeTransfer: --to, --amount
functionCall: --target, --function, --args, --value
ownershipTransfer: --contractAddress, --to
raw: --target, --callData, --value

revoke

Revoke a delegation on-chain. Revokes the first matching delegation.

gator revoke --to \x3Cto-address> [--profile \x3Cprofile-name>]

inspect

Inspect delegations for your account.

gator inspect [--from \x3Cfrom-address>] [--to \x3Cto-address>] [--profile \x3Cprofile-name>]
With no filters, prints both Given and Received.
Printed fields: From, To, Authority, Caveats count, Signed flag.

Redeem Flags per Action

Action	Required Flags
`erc20Transfer`	`--tokenAddress`, `--to`, `--amount`
`erc721Transfer`	`--tokenAddress`, `--to`, `--tokenId`
`nativeTransfer`	`--to`, `--amount`
`functionCall`	`--target`, `--function`, `--args`
`ownershipTransfer`	`--contractAddress`, `--to`
`raw`	`--target`, `--callData`

Example Flows

Initialize and upgrade:

gator init --profile \x3Cprofile-name>
gator create --profile \x3Cprofile-name>

Grant an ERC-20 transfer delegation:

gator grant --profile \x3Cprofile-name> --to \x3Cto-address> --scope erc20TransferAmount \
  --tokenAddress \x3Ctoken-address> --maxAmount 50

Redeem an ERC-20 transfer:

gator redeem --profile \x3Cprofile-name> --from \x3Cfrom-address> --action erc20Transfer \
  --tokenAddress \x3Ctoken-address> --to \x3Cto-address> --amount 10

Redeem a native transfer:

gator redeem --profile \x3Cprofile-name> --from \x3Cfrom-address> --action nativeTransfer \
  --to \x3Cto-address> --amount 0.5

Redeem in raw mode:

gator redeem --profile \x3Cprofile-name> --from \x3Cfrom-address> --action raw \
  --target \x3Ccontract-address> --callData 0xa9059cbb...

Inspect delegations:

gator inspect --profile \x3Cprofile-name>
gator inspect --profile \x3Cprofile-name> --from \x3Cfrom-address>
gator inspect --profile \x3Cprofile-name> --to \x3Cto-address>

Revoke a delegation:

gator revoke --profile \x3Cprofile-name> --to \x3Cto-address>

Operational Notes

Private key security: This is alpha version. Private keys are stored in plaintext JSON. Never use accounts with significant funds.
--from refers to the delegator address; --to refers to the delegate/recipient.
--targets and --selectors are comma-separated lists.
--function accepts a human-readable Solidity function signature like "approve(address,uint256)". Do not pass a 4-byte selector (e.g. 0x095ea7b3) — the CLI derives the selector from the signature automatically.
--startDate and --startTime accept unix timestamps in seconds. When omitted, they default to the current time.
--action is required for redeem and must be one of: erc20Transfer, erc721Transfer, nativeTransfer, functionCall, ownershipTransfer, raw.
Supported chains for --chain in gator init: base (default), baseSepolia, sepolia.

安全使用建议

This skill is functionally coherent with the gator CLI, but it will generate and store private keys and write configuration and delegation files under ~/.gator-cli and may perform on-chain transactions using your RPC endpoint. Before installing: 1) Verify the npm package @metamask/gator-cli (publisher, package page, and checksum/signature) and prefer installing in a sandbox or container. 2) Expect the tool to create/modify files in your home directory (~/.gator-cli); back up any important data first. 3) Treat rpcUrl and delegationStorage apiKey as sensitive: use a dedicated RPC endpoint or account and do not expose high-privilege keys. 4) If you need stronger protection for private keys, use a hardware wallet or avoid letting the CLI generate/store keys on your host. 5) If you want greater assurance, inspect the package source before running, or run commands with --profile pointing to a dedicated test profile. The metadata omission of the config paths is why I rate this suspicious rather than benign.

功能分析

Type: OpenClaw Skill Name: gator-cli Version: 1.0.1 This skill is designed to operate the `@metamask/gator-cli` for blockchain delegation management. It is classified as suspicious primarily due to the explicit disclosure in `SKILL.md` under 'Operational Notes' that 'Private keys are stored in plaintext JSON.' While this is a vulnerability in the underlying `gator-cli` tool rather than direct malice by the skill author, the skill instructs the agent to interact with a system that handles and stores critical cryptographic material in an insecure manner. Additionally, the `gator` CLI's `redeem` command supports a 'raw' action type, allowing arbitrary `callData` to a target contract, which, if misused (e.g., via prompt injection against the agent), could lead to unauthorized or malicious smart contract interactions.

能力评估

✓ Purpose & Capability

Name/description, declared binary ('gator'), and the npm package @metamask/gator-cli are consistent with the stated purpose of operating the Gator CLI for delegation and account workflows.

⚠ Instruction Scope

SKILL.md instructs the agent to run gator commands that generate and use private keys, read and write profile configs, and perform on-chain actions (requires rpcUrl and optional delegationStorage apiKey). It references config/cache paths under ~/.gator-cli. Those behaviors are expected for a CLI of this type, but they involve highly sensitive local data (private keys, delegation records) and on-chain operations which the skill metadata did not explicitly enumerate as config paths or sensitive requirements.

ℹ Install Mechanism

Install uses npm global install of @metamask/gator-cli which is a typical distribution mechanism. This is a moderate-risk install (third-party package execution). Verify the package publisher/name/version before installing and prefer installing in an isolated environment if unsure.

⚠ Credentials

The skill declares no required env vars or config paths, but SKILL.md expects/creates profile configs (~/.gator-cli/...) containing rpcUrl and optionally delegationStorage apiKey and private keys. The metadata omission is a mismatch: the CLI will touch and create sensitive local files and secrets that were not declared in requires.env / requires.config. That lack of explicit declaration reduces transparency and is a risk for users who assume no credentials or local files are accessed.

ℹ Persistence & Privilege

always:false and no cross-skill config changes are requested. However, runtime use will write files to the user's home (~/.gator-cli), including generated private keys and delegation caches. This is expected for the tool but is a persistent local footprint the user should accept explicitly.

版本历史

v1.0.1

- Added quick global installation instructions using `npm install -g @metamask/gator-cli`. - Documented support for the `baseSepolia` chain in the `init` command. - Clarified scopes, required and optional flags, and added detail on default values for `--startDate` and `--startTime`. - For `functionCall` grants, explicitly documented the optional `--valueLte` flag. - Added a warning regarding private key storage in plaintext JSON and alpha state of the tool. - Made minor corrections and clarifications for improved usability and accuracy.

v1.0.0

- Initial release of the gator-cli skill. - Provides detailed reference for using the gator CLI to manage EOA upgrade, delegation grants, redemptions, revocations, and inspections. - Documents all commands, required and optional flags, configuration paths, grant scopes, redeem action types, and example usage flows.

元数据

Slug gator-cli

版本 1.0.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Gator CLI 是什么？

Use when you need to operate the @metamask/gator-cli to initialize profiles, upgrade EOA to EIP-7702, grant, redeem, and revoke ERC-7710 delegations, or insp... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 631 次。

如何安装 Gator CLI？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install gator-cli」即可一键安装，无需额外配置。

Gator CLI 是免费的吗？

是的，Gator CLI 完全免费（开源免费），可自由下载、安装和使用。

Gator CLI 支持哪些平台？

Gator CLI 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Gator CLI？

由 AyushBherwani1998（@ayushbherwani1998）开发并维护，当前版本 v1.0.1。