← 返回 Skills 市场

Sponge Wallet

Name: Sponge Wallet
Author: rishabluthra

作者 Rishab Luthra · GitHub ↗ · v0.1.2

cross-platform ⚠ suspicious

1798

总下载

当前安装

版本数

在 OpenClaw 中安装

/install wallet-skills

功能描述

Manage crypto wallets, transfers, swaps, and balances via the Sponge Wallet API.

安全使用建议

This skill appears to do what it says (manage wallets via the Sponge Wallet API), but pay attention before installing: 1) SKILL.md tells agents to use an 'agent-first' registration flow that returns an API key immediately — that means an agent could perform transactions before a human explicitly claims the wallet. If you require human approval, prefer the standard device flow. 2) The skill instructs writing the API key to ~/.spongewallet/credentials.json (and exporting it). Confirm you are comfortable storing a live crypto API key on disk; consider using least-privilege keys or isolated accounts and rotate keys frequently. 3) The registry metadata did not declare the ~/.spongewallet config path even though the instructions use it — treat that as a minor inconsistency and verify how your agent runtime will handle the file. 4) Ensure the SPONGE_API_KEY you provide has only the permissions you expect; if possible test on testnet keys first. 5) Verify the skill's source/homepage before granting any live keys. If you need stricter guarantees (human-in-the-loop for any transfer or disabling agent-autonomy), require those controls before installing.

功能分析

Type: OpenClaw Skill Name: wallet-skills Version: 0.1.2 This skill is classified as suspicious due to the exposure of several high-risk capabilities to the AI agent, which could be abused via prompt injection. Most notably, the `x402_fetch` endpoint allows the agent to make arbitrary HTTP requests to any URL and automatically pay for them using the agent's wallet, combining broad network access with financial expenditure. Additionally, the skill enables direct cryptocurrency transfers, swaps, bridges, Polymarket trading, and Amazon purchases, all of which are high-impact financial operations. While these features are intended, their broad scope and the agent's ability to execute shell commands (`curl`) based on `SKILL.md` instructions present a significant attack surface for unauthorized actions if the agent is compromised.

能力评估

✓ Purpose & Capability

Name, description, and required credential (SPONGE_API_KEY) line up with a REST-API-only crypto wallet skill. No unrelated binaries or extra cloud creds are requested.

⚠ Instruction Scope

SKILL.md instructs agents to call many wallet endpoints, to store the API key and claim info in ~/.spongewallet/credentials.json, and to use an 'agent-first' registration flow that returns an apiKey immediately. The skill asks agents to send claim URLs to humans and optionally post tweet text. The instructions reference reading and writing a home-folder file (credentials.json) even though the registry metadata lists no required config paths.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files — lowest install risk.

ℹ Credentials

Only SPONGE_API_KEY is required (proportionate). However, SKILL.md also expects/encourages reading/writing ~/.spongewallet/credentials.json and exporting SPONGE_API_URL at runtime; that file path is not declared in the registry metadata, creating a metadata/instruction mismatch that users should be aware of.

⚠ Persistence & Privilege

always:false (good), but the instructions explicitly recommend agent-first registration which returns an API key immediately and to persist it locally. Combined with normal autonomous invocation (disable-model-invocation: false), an agent could act with the key before a human claims or approves — this increases the blast radius for a misbehaving or compromised skill.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install wallet-skills
安装完成后，直接呼叫该 Skill 的名称或使用 /wallet-skills 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.2

- Major expansion of supported endpoints: added Polymarket trading, Amazon checkout and search, and x402 service discovery. - API now supports "agent-first" registration mode, enabling instant API key issuance before human claim. - Balance endpoint now includes Polymarket USDC.e balances. - Standard credential storage updated to optionally include `claimCode` and `claimUrl`. - Registration instructions and claim flow documentation expanded for clarity.

v0.1.1

- Removed the long introductory HTML comment ("TL;DR for token-constrained agents — stop here if context is tight") and its block from the documentation. - No changes to skill logic, endpoints, or tool usage—documentation only. - Content and instructions in all functional sections remain the same.

v0.1.0

Initial public release of the sponge-wallet skill. - Provides doc-only guidance for interacting with the Sponge Wallet API. - Supports crypto wallet management, transfers, swaps, bridging, and balance checks across EVM and Solana chains. - Details secure agent registration, device authorization, and credential storage requirements. - Includes concise API reference, common headers, tool-to-endpoint mapping, and example usage patterns. - Requires storing API keys at ~/.spongewallet/credentials.json or via SPONGE_API_KEY environment variable.

元数据

Slug wallet-skills

版本 0.1.2

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Sponge Wallet 是什么？

Manage crypto wallets, transfers, swaps, and balances via the Sponge Wallet API. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1798 次。

如何安装 Sponge Wallet？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install wallet-skills」即可一键安装，无需额外配置。

Sponge Wallet 是免费的吗？

是的，Sponge Wallet 完全免费（开源免费），可自由下载、安装和使用。

Sponge Wallet 支持哪些平台？

Sponge Wallet 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Sponge Wallet？

由 Rishab Luthra（@rishabluthra）开发并维护，当前版本 v0.1.2。