← 返回 Skills 市场
460
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install kite-agent-smart-wallet-permissionless-protocol-v2
功能描述
Manage your Kite AI smart wallet securely with natural language Telegram commands for wallet creation, balance checks, sessions, limits, and transactions.
使用说明 (SKILL.md)
Kite AI Agent Smart Wallet Permissionless Protocol
让用户通过Telegram控制加密货币钱包 / Telegram wallet control for Kite AI
简介 / Introduction
这是一个让用户通过Telegram管理Kite AI链上钱包的协议。
A protocol for users to manage Kite AI wallet via Telegram.
- 用户本地运行Bot / Bot runs locally
- 私钥用户自己保管 / Private key stays with user
- 完全去中心化 / Fully decentralized
特性 / Features
- 📱 Telegram钱包控制 / Telegram wallet control
- 🔐 智能钱包 / Smart wallet
- 🔑 Session Keys / 授权密钥
- 💰 消费限额 / Spending limits
- 🌍 中英双语 / Bilingual
快速开始 / Quick Start
1. 创建Telegram机器人
- 打开Telegram → @BotFather
- 发送
/newbot - 给机器人起名
- 复制Token
2. 安装
git clone \x3Crepo>
cd kite-wallet
npm install
3. 配置
PRIVATE_KEY=你的私钥
TELEGRAM_BOT_TOKEN=你的Token
4. 运行
node telegram-bot.js
命令 / Commands
| 中文 | English | 功能 Function |
|---|---|---|
| /create | /create | 创建钱包 |
| /wallet | /wallet | 查看地址 |
| /balance | /balance | 查看余额 |
| /session add | /session add | 添加授权 |
| /limit set | /limit set | 设置限额 |
| /send | /send | 转账 |
网络 / Network
| 网络 Network | Chain ID | RPC |
|---|---|---|
| Testnet | 2368 | https://rpc-testnet.gokite.ai |
合约 / Contracts
| 合约 Contract | 地址 Address |
|---|---|
| AgentSmartWalletFactory | 0x0fa9F878B038DE435b1EFaDA3eed1859a6Dc098a |
相关链接 / Links
- 🌐 Website: https://gokite.ai
- 🔍 Explorer: https://testnet.kitescan.ai
- 🚰 Faucet: https://faucet.gokite.ai
- 📖 Docs: https://docs.gokite.ai
版本历史 / Version History
- v2.0.4 - 中英双语 Bilingual
- v2.0.3 - 用户手册 User guide
- v2.0.2 - 用户本地运行 User runs locally
- v1.0.0 - 初始版 Initial
作者 / Author: VandNi
许可证 / License: MIT
安全使用建议
What to consider before installing or running this skill:
- Origin & trust: The skill's source is listed as unknown. Prefer code from an identified, trusted repository/author. If you don't know the author, treat the package as untrusted.
- Secret handling: The bot requires a private key and a Telegram token. Do NOT use a real/mainnet/private key. Use an empty/test wallet with minimal funds. Keep secrets out of repository commits — remove or gitignore your .env before pushing. GITHUB-SETUP.md includes push instructions; follow them only after scrubbing secrets.
- Env name mismatch: The two JS files expect different env var names (telegram-bot.js expects PRIVATE_KEY and TELEGRAM_BOT_TOKEN; kite-wallet.js looks for KITE_WALLET_PRIVATE_KEY). Confirm which entrypoint you run and set the correct variables. Fix the code or env names before deploying to reduce confusion.
- Logging & leakage: The bot prints the wallet address to stdout. If you run this on a shared machine or CI, logs could leak sensitive info. Run in an isolated environment (local machine or container) and avoid log aggregation that might capture secrets.
- Test first: Run against the Kite testnet with a throwaway key and small test funds. Verify contract addresses on the provided explorer (testnet.kitescan.ai) and confirm factory behavior before using any valuable funds.
- Code audit suggestions: Inspect/patch to (1) unify env variable names; (2) avoid printing private-related info to logs; (3) ensure input validation of Telegram commands and addresses; (4) ensure userId is correctly mapped to an Ethereum address (current code passes Telegram numeric userId where an address is expected, which looks like a bug).
- Safer alternatives: If you need stronger security, sign transactions offline or use a hardware wallet / dedicated signing service rather than placing a raw private key in a .env file.
If you want, I can produce a short checklist and minimal code edits to reduce the biggest risks (unify env names, stop logging sensitive fields, add warnings before pushing to GitHub).
功能分析
Type: OpenClaw Skill
Name: kite-agent-smart-wallet-permissionless-protocol-v2
Version: 2.0.5
The skill is classified as suspicious primarily due to multiple prompt injection vectors present in the markdown documentation files (`SKILL.md`, `GITHUB-SETUP.md`, `README.md`, `USER-GUIDE.md`, `用户手册.md`). These files contain shell commands (`git clone`, `npm install`, `node telegram-bot.js`, `gh auth login`, `gh repo create --push`) intended for human setup, but which an AI agent could misinterpret and execute, leading to unauthorized actions (e.g., creating GitHub repositories, pushing code). While the JavaScript code (`kite-wallet.js`, `telegram-bot.js`) handles sensitive information (private keys, Telegram bot tokens) necessary for its stated purpose of managing a crypto wallet, it does not show direct evidence of intentional data exfiltration or other malicious behavior. The use of `ethers.js` for blockchain interactions and `https` for Telegram API calls is consistent with the skill's functionality. The `GITHUB-SETUP.md` file is a particularly strong indicator of prompt injection risk due to the `gh auth login` and `gh repo create --push` commands.
能力评估
Purpose & Capability
The stated purpose (Telegram control of a Kite AI testnet smart wallet) matches the code: telegram-bot.js and kite-wallet.js implement create/balance/session/limit/send commands and call a factory contract on the testnet RPC. However the registry/metadata claims no required env vars or primary credential while the code clearly requires a private key and Telegram bot token (inconsistent declarations).
Instruction Scope
SKILL.md and README instruct the user to set PRIVATE_KEY and TELEGRAM_BOT_TOKEN and run node telegram-bot.js — that aligns with telegram-bot.js. But kite-wallet.js expects a different env name (KITE_WALLET_PRIVATE_KEY), and both JS files log wallet.address to stdout (potentially leaking sensitive data in logs). GITHUB-SETUP.md includes steps to push the repo to GitHub — combined with .env usage this risks accidental exposure of private keys if users follow that without removing .env. The code talks to only expected endpoints (rpc-testnet.gokite.ai and api.telegram.org) and does not exfiltrate to unknown domains, but the mismatched env names and logging are scope concerns.
Install Mechanism
This is an instruction-only skill with included Node.js source and a standard package.json (ethers, dotenv). There is no remote download/install of arbitrary binaries or external archives; npm install is expected. No high-risk install URLs or extract steps are present.
Credentials
The skill reasonably needs a private key and a Telegram bot token to operate. However the registry metadata lists no required env vars while SKILL.md and the code require PRIVATE_KEY/TELEGRAM_BOT_TOKEN (telegram-bot.js) and KITE_WALLET_PRIVATE_KEY (kite-wallet.js) — this inconsistency can lead to misconfiguration and accidental key exposure. The number of secrets requested is proportionate, but the mismatch in env names and guidance to push repositories increases risk.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and runs locally as a user process. It uses standard network APIs to talk to Telegram and the testnet RPC. No persistent privileged installation behavior is present.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install kite-agent-smart-wallet-permissionless-protocol-v2 - 安装完成后,直接呼叫该 Skill 的名称或使用
/kite-agent-smart-wallet-permissionless-protocol-v2触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.5
- Improved and reorganized documentation for clarity, including setup instructions and feature highlights in SKILL.md
- Added a new GITHUB-SETUP.md file
- Updated metadata in skill.json
v2.0.4
v2.0.4 introduces a bilingual (Chinese-English) user guide for improved accessibility.
- All documentation now includes both Chinese and English explanations.
- Quick start, configuration, and command instructions are presented in both languages.
- Improves clarity for Chinese-speaking users without removing existing English content.
v2.0.3
- Added comprehensive user guides in both English (USER-GUIDE.md) and Chinese (用户手册.md).
- No changes to core logic or smart contract architecture.
v2.0.2
- Added kite-wallet.js with supporting code for smart wallet interaction.
- Updated SKILL.md: clarified local bot architecture, improved setup instructions, and enhanced environment/configuration details.
- Added testnet faucet and explorer references for easier onboarding.
- Streamlined security section to emphasize local key control.
- Minor documentation improvements for clarity and conciseness.
v2.0.1
- Added support for local Telegram bot deployment and configuration via `.env` file.
- Updated documentation to guide users through cloning, installation, configuration, and running the bot.
- Simplified and clarified environment variable and command documentation.
- Refined security notes and streamlined instructions for Telegram Bot setup.
v2.0.0
Kite Agent Smart Wallet Permissionless Protocol V2.0.0 adds Telegram wallet management:
- Control your Kite AI smart wallet via Telegram commands
- Support for natural language wallet instructions in Telegram
- Secure, owner-only access to wallet functions through Telegram
- New commands for wallet creation, balance checks, setting limits, session key management, and sending KITE
- Updated setup instructions for Telegram bot integration
元数据
常见问题
Kite Agent Smart Wallet Permissionless Protocol V2 是什么?
Manage your Kite AI smart wallet securely with natural language Telegram commands for wallet creation, balance checks, sessions, limits, and transactions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 460 次。
如何安装 Kite Agent Smart Wallet Permissionless Protocol V2?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install kite-agent-smart-wallet-permissionless-protocol-v2」即可一键安装,无需额外配置。
Kite Agent Smart Wallet Permissionless Protocol V2 是免费的吗?
是的,Kite Agent Smart Wallet Permissionless Protocol V2 完全免费(开源免费),可自由下载、安装和使用。
Kite Agent Smart Wallet Permissionless Protocol V2 支持哪些平台?
Kite Agent Smart Wallet Permissionless Protocol V2 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Kite Agent Smart Wallet Permissionless Protocol V2?
由 nihaovand(@nihaovand)开发并维护,当前版本 v2.0.5。
推荐 Skills