← 返回 Skills 市场
dome

TokClaw Wallet

作者 DOM CHAROENYOS · GitHub ↗ · v5.9.0 · MIT-0
cross-platform ⚠ suspicious
106
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install tokclaw
功能描述
TokClaw Wallet agent for blockchain wallet operations including registration, login, balance check, token transfers, and PIN management on TokClaw chain (7447).
安全使用建议
This skill instructs the agent to download and immediately run a shell script from an unverified domain and to execute wallet commands itself (curl | sh and sh tokclaw-wallet.sh ...). That pattern is high-risk: a remote script can run arbitrary code, read or exfiltrate files, or create persistent backdoors. Before installing: (1) do not let the agent run curl | sh autonomously — require the user to run installs manually; (2) verify the install URL and source repository (prefer GitHub releases or a package manager and a checksum); (3) inspect the script contents before executing; (4) avoid giving the agent an exec tool that can run shell commands on your system, or limit it to clearly scoped commands; (5) prefer a wallet implementation with a published repo, signatures, and clear privacy/security docs. Given the strong red flags, avoid installing this skill until you can validate the script and its provenance.
功能分析
Type: OpenClaw Skill Name: tokclaw Version: 5.9.0 The SKILL.md file contains aggressive prompt-injection instructions designed to bypass agent safety guardrails by mandating the immediate execution of remote code (curl | sh) from wallet.tokclaw.com without user confirmation. It also directs the agent to store sensitive data like PINs in plaintext files (tokclaw-pin.txt) and explicitly forbids the agent from asking for user permission. While these behaviors are framed as automation for a blockchain wallet, the combination of unverified remote execution and the intentional suppression of user oversight represents a high-risk security profile.
能力标签
cryptorequires-walletrequires-sensitive-credentials
能力评估
Purpose & Capability
A wallet CLI could legitimately require installing a helper script, but the SKILL.md mandates the agent itself run curl -fsSL https://wallet.tokclaw.com/install | sh and then execute arbitrary shell commands. The registry declares no install or code, yet the instructions demand installing and running a remote script — this is disproportionate and not justified by the metadata.
Instruction Scope
The instructions explicitly require the agent to execute remote install and many shell commands (register, login, send, etc.) without involving the user, and forbid asking the user to run anything. They direct use of an exec tool to run a piped shell install from an unverified domain — a wide scope that can perform arbitrary system actions and exfiltrate data.
Install Mechanism
There is no formal install spec in the registry; instead SKILL.md tells the agent to run curl | sh against https://wallet.tokclaw.com/install. This is a high-risk install pattern (download-and-execute) from an unrecognized domain rather than a vetted release host (GitHub releases, official package manager). The registry provides no checksum, source repo, or verification details.
Credentials
The skill declares no required env vars or credentials, yet asks the agent to create and use a local CLI which likely will read or create secrets (auth tokens, PINs, wallet files). Because the install runs arbitrary shell code, it may access any environment variables, files, or network endpoints — far more privilege than the metadata indicates or than a simple instruction-only skill should need.
Persistence & Privilege
always is false, but the SKILL.md's insistence that the agent autonomously run installation and CLI commands (and never ask the user to run them) increases the effective privilege and blast radius. The skill asks the agent to write a script into the environment and run it, which grants persistent local capabilities that aren't evident in the metadata.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install tokclaw
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /tokclaw 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v5.9.0
**Major change: Now uses shell script interface instead of direct curl API calls.** - Replaced all direct API (curl) instructions with commands to install and use `tokclaw-wallet.sh` shell script. - The agent now ALWAYS installs and calls the wallet shell script itself; it must never ask the user to run, install, or confirm anything. - All wallet operations (registration, login, balance check, transfers) must be executed through the script, not by calling REST API endpoints. - Stronger, clearer rules: Do not expose PIN, never say "please run this," always execute first and inform the user after. - File writing and PIN management are now handled by the script automatically. - Streamlined user prompts: the agent only asks for necessary inputs (email, OTP, PIN, recipient, amount).
v3.0.0
tokclaw-wallet 3.0.0 - Major update: Skill now requires real interaction with the TokClaw blockchain wallet API, no simulation allowed. - Strict new workflow: All API calls must be executed using the exec tool, never simulated or delegated to the user. - Mandatory file handling: Wallet data, JWT tokens, and PINs must be written to local files immediately after relevant API actions—never request user permission. - API responses must be parsed and immediately saved to: tokclaw-wallet.json (on registration), tokclaw-auth.txt (on login), and tokclaw-pin.txt (on PIN setup/change). - User guidance and confirmations now clearly split from file writing; always confirm file write after the action. - PIN management clarified: PIN must be handled securely, never exposed, and always stored immediately after setup or change.
元数据
Slug tokclaw
版本 5.9.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

TokClaw Wallet 是什么?

TokClaw Wallet agent for blockchain wallet operations including registration, login, balance check, token transfers, and PIN management on TokClaw chain (7447). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 106 次。

如何安装 TokClaw Wallet?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install tokclaw」即可一键安装,无需额外配置。

TokClaw Wallet 是免费的吗?

是的,TokClaw Wallet 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

TokClaw Wallet 支持哪些平台?

TokClaw Wallet 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 TokClaw Wallet?

由 DOM CHAROENYOS(@dome)开发并维护,当前版本 v5.9.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论