← 返回 Skills 市场
226
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install goodwallet-trading
功能描述
Blockchain trading tools extending GoodWallet MPC agentic wallets. Adds ERC20 transfers, token approvals, DEX swaps (Uniswap V2), arbitrary contract calls, b...
使用说明 (SKILL.md)
GoodWallet Trading
Extends the goodwallet skill with blockchain trading capabilities. All transactions are MPC-signed via the same Sodot threshold ECDSA signing service.
Prerequisite: The user must first authorize via the goodwallet skill (auth + pair). Credentials are shared via ~/.config/goodwallet/config.json.
All commands are run via npx [email protected].
Important: Do not share technical details (key types, signature formats, internal paths). Run commands and report outcomes in plain language.
Setup
If the user hasn't authorized yet, run the goodwallet auth flow first:
npx [email protected] auth
# Show the URL to the user, then immediately:
npx [email protected] pair
Once paired, all goodwallet-trading commands will work automatically.
Commands
balance — Check ETH and ERC20 balances
npx [email protected] balance
npx [email protected] balance --token \x3Cerc20-address>
erc20-send — Send ERC20 tokens
npx [email protected] erc20-send --to \x3Caddress> --amount \x3Camount> --token \x3Cerc20-address>
| Flag | Short | Required | Description |
|---|---|---|---|
--to \x3Caddress> |
-t |
Yes | Recipient address |
--amount \x3Camount> |
-a |
Yes | Amount (human-readable, e.g. 10.5) |
--token \x3Caddress> |
Yes | ERC20 token contract |
approve — Approve token spending
npx [email protected] approve --token \x3Cerc20-address> --spender \x3Caddress>
npx [email protected] approve --token \x3Cerc20-address> --spender \x3Caddress> --amount 100
Without --amount, approves unlimited spending.
contract-call — Call any smart contract
The most powerful command — execute arbitrary contract calls with MPC signing.
npx [email protected] contract-call --to \x3Ccontract> --data \x3Ccalldata-hex>
npx [email protected] contract-call --to \x3Ccontract> --data \x3Ccalldata-hex> --value 0.1
| Flag | Required | Description |
|---|---|---|
--to \x3Caddress> |
Yes | Contract address |
--data \x3Chex> |
Yes | Calldata (hex with 0x prefix) |
--value \x3Cether> |
No | ETH to send with call (default: 0) |
swap — Uniswap V2 DEX swap
npx [email protected] swap --router \x3Crouter-address> --from-token ETH --to-token \x3Ctoken-address> --amount 0.1
npx [email protected] swap --router \x3Crouter-address> --from-token \x3Ctoken-a> --to-token \x3Ctoken-b> --amount 100
| Flag | Required | Description |
|---|---|---|
--router \x3Caddress> |
Yes | Uniswap V2 router address |
--from-token \x3Caddress|ETH> |
Yes | Token to sell (or "ETH") |
--to-token \x3Caddress|ETH> |
Yes | Token to buy (or "ETH") |
--amount \x3Camount> |
Yes | Amount to swap |
--slippage \x3Cpercent> |
No | Slippage tolerance (default: 1%) |
token-info — Get ERC20 token details
npx [email protected] token-info --token \x3Cerc20-address>
Returns: name, symbol, decimals, total supply, your balance.
allowance — Check approved spending
npx [email protected] allowance --token \x3Cerc20-address> --spender \x3Caddress>
Environment Variables
| Variable | Default | Description |
|---|---|---|
SIGN_URL |
sign.goodwallet.dev |
Signing service endpoint |
RPC_URL |
Alchemy Hoodi endpoint | Override RPC URL |
Network
Currently configured for Hoodi testnet (chain ID 560048). Explorer: https://hoodi.etherscan.io/
File Locations
| File | Purpose |
|---|---|
~/.config/goodwallet/config.json |
Shared credentials from goodwallet auth |
Typical Workflow
# 1. Auth (if not already done)
npx [email protected] auth
npx [email protected] pair
# 2. Check balance
npx [email protected] balance
# 3. Send ERC20 tokens
npx [email protected] erc20-send --to 0x... --amount 10 --token 0x...
# 4. Approve DEX router
npx [email protected] approve --token 0x... --spender 0x...
# 5. Swap on DEX
npx [email protected] swap --router 0x... --from-token ETH --to-token 0x... --amount 0.1
# 6. Arbitrary contract call
npx [email protected] contract-call --to 0x... --data 0xabcdef... --value 0.05
安全使用建议
This skill appears to implement exactly what it claims (MPC-signed wallet trading), but there are several red flags you should check before installing or using it:
- Confirm the author/source: the registry lists no homepage and the owner is unknown. Verify the 'goodwallet' npm package origin and that the native module is legitimate.
- The skill reads ~/.config/goodwallet/config.json for apiKey/share/address — make sure you trust the auth flow and that the file is only populated by the official goodwallet tool. The registry metadata should have declared this but did not.
- The code posts to an external signing endpoint (SIGN_URL, default sign.goodwallet.dev) and uses a relay URL. Verify these endpoints are the real GoodWallet/Sodot services and not attacker-controlled.
- The skill loads a native .node binary from the goodwallet package. Native modules can run arbitrary code on your machine; only proceed if the package and its binary are from a trusted source.
- There is a hard-coded Alchemy RPC URL (with an API key) in the code — this is an embedded credential and indicates default testnet use; it doesn’t directly leak your keys but shows the package bundles secrets. Consider overriding RPC_URL or inspecting the package to understand limits of that key.
- The skill supports arbitrary contract-call and token swaps; these actions can move funds. Always verify addresses, amounts, and outputs before approving or broadcasting transactions.
If you need to proceed, prefer running this in an isolated environment or container, inspect the goodwallet npm package and native binary contents yourself, and confirm the sign/relay endpoints and package authorship. If you cannot validate those points, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: goodwallet-trading
Version: 0.2.1
The skill provides powerful blockchain trading tools, including a 'contract-call' command in index.js that allows the execution of arbitrary smart contract transactions, which could be used to drain assets if the agent is manipulated. It dynamically loads a native binary (libsodot_executor) from the 'goodwallet' dependency to perform MPC signing, introducing a significant supply-chain risk. Additionally, index.js contains a hardcoded Alchemy RPC API key, which is a security vulnerability. While these features are aligned with the stated purpose of a DeFi trading tool, the combination of arbitrary execution capabilities and native code loading warrants a suspicious classification.
能力评估
Purpose & Capability
The skill's stated purpose (ERC20 transfers, approvals, Uniswap V2 swaps, arbitrary contract calls signed via Sodot MPC) matches what the code implements: RPC calls, building transactions, and MPC signing via a native SDK. However the registry metadata omitted that the skill actually requires GoodWallet credentials stored at ~/.config/goodwallet/config.json and environment variables (SIGN_URL, RPC_URL) that the code reads — a mismatch between declared requirements and actual needs.
Instruction Scope
SKILL.md instructs the agent to run npx commands and to read/use ~/.config/goodwallet/config.json for credentials; the code indeed reads that file and posts signing requests to an external signing endpoint. The instructions also tell the agent not to reveal internal technical details, which reduces transparency. Reading the local config and contacting external sign/relay endpoints is necessary for MPC signing but was not declared in the registry metadata — this scope creep should be documented and verified.
Install Mechanism
No install spec in registry (instruction-only), but the package includes index.js and npm metadata. The code uses npx in instructions (downloads package at runtime) and requires the 'goodwallet' npm package and a native .node library from that package — loading native modules has higher risk than pure JS. There are no obscure download URLs, dependencies are from npm, but the native binary execution increases blast radius and should be verified as coming from the official goodwallet package.
Credentials
Registry declares no required env vars or config paths, yet the skill reads ~/.config/goodwallet/config.json (requires apiKey, share, address) and process.env.SIGN_URL / process.env.RPC_URL. The code also embeds a hard-coded Alchemy RPC URL (including an API key) as the default — an embedded credential. Requesting/using the user's GoodWallet API key/share is expected for signing, but the omission from metadata is a proportionality/documentation problem and a transparency/security concern.
Persistence & Privilege
The skill does not request always:true, does not claim system-wide persistence, and does not modify other skills' configs. It performs network calls and loads a native module but does not request elevated platform privileges in metadata.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install goodwallet-trading - 安装完成后,直接呼叫该 Skill 的名称或使用
/goodwallet-trading触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.1
Updated to goodwallet 0.2.0, verified compatibility with new auth/pair flow
v0.2.0
Updated for goodwallet 0.2.0 auth+pair flow. Added SKILL.md with full command docs.
v0.1.0
Initial release: ERC20 transfers, approvals, balance checks, DEX swaps, contract calls via MPC
元数据
常见问题
Goodwallet Trading 是什么?
Blockchain trading tools extending GoodWallet MPC agentic wallets. Adds ERC20 transfers, token approvals, DEX swaps (Uniswap V2), arbitrary contract calls, b... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 226 次。
如何安装 Goodwallet Trading?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install goodwallet-trading」即可一键安装,无需额外配置。
Goodwallet Trading 是免费的吗?
是的,Goodwallet Trading 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Goodwallet Trading 支持哪些平台?
Goodwallet Trading 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Goodwallet Trading?
由 Yoni(@yoniassia)开发并维护,当前版本 v0.2.1。
推荐 Skills