← 返回 Skills 市场

Vincent - Agent Wallet

Name: Vincent - Agent Wallet
Author: glitch003

作者 Chris Cassano · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

1345

总下载

当前安装

版本数

在 OpenClaw 中安装

/install vincent

功能描述

Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction. Also supports raw signing and polymarket betting.

安全使用建议

This skill appears to implement an agent-controlled wallet via a hosted API (heyvincent.ai). Before installing: (1) verify the publisher and service (no source/homepage provided here); (2) confirm you trust heyvincent.ai to custody private keys and to act on the agent's behalf; (3) insist that the registry metadata be updated to declare the required API key/primary credential so the platform can surface and protect it; (4) store any API keys securely (avoid world-readable locations) and prefer per-agent, least-privilege API keys and strict spending policies; (5) test with minimal funds and monitor transactions; (6) if you cannot validate the service or the publisher, do not provide real funds or long‑lived credentials.

功能分析

Type: OpenClaw Skill Name: vincent Version: 1.0.0 The skill is classified as suspicious due to several high-risk capabilities and potential prompt injection vectors, despite its stated benign purpose. The `SKILL.md` file instructs the agent to store and retrieve API keys from specific file system paths (`~/.openclaw/credentials/agentwallet/` or `agentwallet/`), indicating file system read/write access. More critically, it explicitly instructs the agent to accept a user-provided `relinkToken` and use it directly in an unauthenticated API call to `https://heyvincent.ai/api/secrets/relink` to obtain a new API key. This creates a direct prompt injection surface where user input is treated as a sensitive authorization token, allowing a malicious user to potentially trick the agent into misusing the recovery mechanism. The skill also involves high-risk financial transactions (transfers, swaps, betting) via API calls to `https://heyvincent.ai`.

能力评估

⚠ Purpose & Capability

The SKILL.md clearly requires an API key (Bearer token) to create and operate wallets on heyvincent.ai; however the registry metadata lists no primary credential or required env vars. That is inconsistent: the skill cannot function as documented without a secret but the package does not declare or surface that requirement. Also there is no source/homepage provided for the publisher, making it harder to validate.

ℹ Instruction Scope

The runtime instructions are narrowly focused on wallet operations (create wallet, get balances, transfer, swap, raw signing, polymarket betting). They explicitly instruct storing and using an API key (paths such as ~/.openclaw/credentials/agentwallet/<API_KEY_ID>.json or ./agentwallet/...), and describe interactions with a remote API (heyvincent.ai). They do not instruct reading unrelated system files, but they do instruct where to persist credentials which can increase risk if the files are accessible to other components.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files — low install risk. However it relies on outbound network calls to a third‑party domain (heyvincent.ai), which is expected for a hosted wallet service but should be verified by the user.

⚠ Credentials

Although the skill requires an API key to operate, the metadata declares no required environment variables or primary credential. That omission is disproportionate and problematic: the skill will expect and use a secret, but the platform won't prompt for or label it. The SKILL.md also recommends specific storage paths for credentials, which could be sensitive if other skills or processes can access them.

✓ Persistence & Privilege

The skill does not request always:true and has typical autonomous-invocation defaults. That is normal. Note: if you grant the skill (or the agent) the API key, it can autonomously initiate transfers within the wallet's policy — so giving the key is effectively granting on‑chain transaction capability.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install vincent
安装完成后，直接呼叫该 Skill 的名称或使用 /vincent 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Vincent 1.0.0 – Initial Release - Provides secure wallets for agents supporting transfers, swaps, EVM chain transactions, raw signing, and Polymarket betting. - Ensures the agent never accesses the private key; all transactions are server-side, controlled by owner-set policies. - Offers multiple wallet types: EVM_WALLET, RAW_SIGNER, and POLYMARKET_WALLET, each optimized for specific use cases. - Allows owners to configure policies for address, token, function allowlists, and spending limits. - Includes REST API endpoints for creating wallets, checking balances, transferring tokens, swapping, executing arbitrary transactions, and API key recovery. - Comprehensive documentation for setup, usage, and recovery is provided.

元数据

Slug vincent

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Vincent - Agent Wallet 是什么？

Use this skill to safely create a wallet the agent can use for transfers, swaps, and any EVM chain transaction. Also supports raw signing and polymarket betting. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1345 次。

如何安装 Vincent - Agent Wallet？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install vincent」即可一键安装，无需额外配置。

Vincent - Agent Wallet 是免费的吗？

是的，Vincent - Agent Wallet 完全免费（开源免费），可自由下载、安装和使用。

Vincent - Agent Wallet 支持哪些平台？

Vincent - Agent Wallet 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Vincent - Agent Wallet？

由 Chris Cassano（@glitch003）开发并维护，当前版本 v1.0.0。