← 返回 Skills 市场

pocket-money

Name: pocket-money
Author: operator-auteng-ai

作者 Operator @ AutEng AI · GitHub ↗ · v2.0.0

cross-platform ⚠ suspicious

579

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pocket-money

功能描述

Give your AI agent crypto wallets on Base. Create purpose-specific wallets, ask your human to fund each one, check balances, and manage budgets. No accounts,...

安全使用建议

This skill is coherent with its stated aim (creating local Base/USDC wallets), but it has security-sensitive components you should review before installing: 1) Inspect the @auteng/pocket-money package source on GitHub and the npm package contents (including dependencies and postinstall scripts). 2) Do not fund these wallets with more than a small, reviewed amount — treat them as petty cash. 3) Consider requiring encrypted keystores or a hardware signing flow rather than unencrypted JSON files on disk; if you must use these files, keep strict filesystem permissions and backups off the machine. 4) Confirm the RPC endpoints (mainnet.base.org) and whether gas in ETH is actually required — the SKILL.md claim that "no ETH needed for gas" may be inaccurate on Base unless a gas-sponsorship mechanism is used. 5) If possible, run the npm package in a sandboxed environment or audit it first; pin to a specific package version and vendor. 6) Be aware that the agent can be invoked autonomously; if you want to prevent accidental spending, restrict autonomous invocation for this skill or ensure that human approval can be enforced by policy. If you cannot audit the package and accept these risks, proceed cautiously; otherwise, treat this skill as potentially dangerous.

功能分析

Type: OpenClaw Skill Name: pocket-money Version: 2.0.0 The skill stores unencrypted private keys for crypto wallets on disk at `.auteng/wallets/<name>.json`, which is a significant vulnerability as it exposes funds if the host machine is compromised. While the `SKILL.md` transparently discloses this risk and provides mitigations (e.g., restricted file permissions, advice to use small amounts, and explicit instructions for the AI agent to seek human approval before any spending), the inherent risk of unencrypted key storage makes it suspicious. There is no evidence of intentional malicious behavior like data exfiltration or unauthorized remote control.

能力评估

✓ Purpose & Capability

Name and description align with the requested artifacts: node/npm are required for the @auteng/pocket-money package, and the skill expects a local config directory .auteng/wallets/ where wallets are stored. No unrelated credentials or bizarre binaries are requested.

⚠ Instruction Scope

The SKILL.md instructs creating, loading, and storing private keys as unencrypted JSON at .auteng/wallets/<name>.json (0600). It also instructs the agent to poll the Base RPC and to wait for funding. The document relies on the human for explicit approval before spending, but that is procedural (not enforced technically). There is no instruction-level protection preventing an agent or installed code from programmatically signing and sending transactions without human confirmation.

⚠ Install Mechanism

Install is via an npm package (@auteng/pocket-money). Installing an npm package grants arbitrary code execution on the host at install/runtime; this is expected for a Node-based skill but is a meaningful risk because the package will have access to wallet files and could exfiltrate keys. The package source is referenced in SKILL.md (GitHub and npm links), which helps reviewability, but the registry metadata lacked a homepage entry — you should verify the package identity and inspect source before installing.

✓ Credentials

No environment variables or unrelated credentials are requested. The only filesystem access declared is the .auteng/wallets/ path where wallet JSONs are stored. That is consistent with the stated functionality, but the data stored there (private keys) is highly sensitive, so minimality of requested variables doesn't remove the risk.

⚠ Persistence & Privilege

always:false (good). The skill can be invoked autonomously (platform default). Combined with an installed npm package that can access and sign with local private keys, autonomous invocation increases blast radius: the agent or package could sign/send transactions programmatically. SKILL.md relies on human approval but cannot technically enforce it.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pocket-money
安装完成后，直接呼叫该 Skill 的名称或使用 /pocket-money 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v2.0.0

Version 2.0.0 - Migrated package to @auteng/pocket-money (from @auteng/agent-utils) with updated install instructions and repository links. - Refocused documentation to core wallet creation, funding, management, and security. - Removed x402 protocol/payment, API call, and discovery features, including fetch integration and compute/convenience modules. - Added network selection (Base mainnet and Base Sepolia testnet) at wallet creation. - Updated examples and instructions for funding workflows and balance checks. - Clarified security and usage recommendations.

v1.4.0

- Added metadata section to SKILL.md with requirements, install instructions, and homepage. - Expanded documentation with a new Security & Storage section, detailing wallet private key handling, network access, and payment signing. - Clarified mitigation advice around safe wallet funding and usage. - No changes to runtime code—documentation and metadata update only.

v1.3.0

Version 1.3.0 - Expanded support: pay for any x402-enabled service, not just AutEng Compute. - Updated documentation: clarified usage for generic x402 endpoints and API workflows. - Added info on x402 discovery (`x402.probe`, `x402.discover`) and price formatting helpers. - Simplified wallet naming and usage examples. - Minor rewording for clarity and generalization beyond AutEng-specific services.

v1.1.0

## Version 1.1.0 - Adds requirement for explicit human approval before spending from any wallet. - Updated documentation to include a new section detailing the approval workflow: show the human the estimated cost and wait for confirmation before proceeding. - Emphasizes presenting costs and operations up front, especially for batches or loops. - Clarifies wallet usage as "petty cash," not for savings, and strengthens instructions for safe, budgeted spending. - Improves guidance around checking pricing, tracking budgets, and wallet file security details.

v1.0.0

- Initial release of pocket-money skill. - Allows agents to create and manage USDC wallets (Base network) for funding and x402 service payments. - Supports autonomous spending, wallet creation by purpose, and requesting human funding with clear instructions. - Provides APIs for wallet creation, balance checking, funding waits, and x402-enabled payments. - No accounts or KYC required; privacy-first, using only addresses and local key storage.

元数据

Slug pocket-money

版本 2.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 5

常见问题

pocket-money 是什么？

Give your AI agent crypto wallets on Base. Create purpose-specific wallets, ask your human to fund each one, check balances, and manage budgets. No accounts,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 579 次。

如何安装 pocket-money？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pocket-money」即可一键安装，无需额外配置。

pocket-money 是免费的吗？

是的，pocket-money 完全免费（开源免费），可自由下载、安装和使用。

pocket-money 支持哪些平台？

pocket-money 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 pocket-money？

由 Operator @ AutEng AI（@operator-auteng-ai）开发并维护，当前版本 v2.0.0。