Virtuals

Virtuals Protocol integration for OpenClaw. Create, manage and trade tokenized AI agents on Base.

Before installing or running this skill: (1) Confirm the source/trustworthiness — registry metadata lists source as unknown and no homepage, even though SKILL.md references virtuals.io. Prefer skills with verifiable upstream repos. (2) Do not paste your mainnet private key into the CLI unless you understand the risk — the skill stores the key in plaintext JSON at ~/.openclaw/virtuals/config.json (file perms 600). Use a throwaway/test wallet or hardware/external signer if possible. (3) Verify whether you intend to work on testnet or mainnet — SKILL.md warns 'TESTNET ONLY' but the code points to mainnet.base.org and a mainnet contract address; this mismatch could cause accidental mainnet transactions and fund loss. (4) Inspect/verify the contract addresses and RPC endpoints hard-coded in the code before using trading/creation commands. (5) If you need full assurance, ask the publisher for source provenance or request that the skill implement secure signing (external signer/hardware-wallet integration) and explicitly support a testnet RPC option.

Type: OpenClaw Skill Name: virtuals Version: 1.0.0 The skill is classified as suspicious primarily due to its capability to store a user-provided private key on disk in `~/.openclaw/virtuals/config.json` via the `virtuals config --private-key <key>` command (documented in SKILL.md and implemented in src/cli.ts). While the code attempts to secure this file with `chmodSync(CONFIG_FILE, 0o600)` and the SKILL.md explicitly warns 'TESTNET ONLY for now - Don't use mainnet funds', storing private keys on disk is an inherently high-risk practice. The current implementation of the `create` command in `src/cli.ts` does not yet use the private key for on-chain transactions, directing users to a website instead, which prevents an immediate 'malicious' classification, but the risky capability remains.