首页龙虾技能列表 › Safe Skills — 技能工具

Safe Skills — 技能工具

v1.0.0

[自动翻译] Securely create and manage EVM wallets; perform token transfers, check balances, and send transactions without exposing raw secret keys.

1· 1,740·0 当前·0 累计
by @glitch003 (Chris Cassano)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/27
安全扫描
VirusTotal
无害
查看报告
OpenClaw
可疑
medium confidence
The skill's instructions describe a secret-management/wallet service that requires API keys and optional env vars, but the registry metadata does not declare those credentials and the agent could be instructed to perform high-privilege actions (token transfers) against an external, unverified endpoint—this mismatch and operational risk warrant caution.
评估建议
Key things to consider before installing or enabling this skill: - Verify the external service: the default API URL points to a Railway-hosted app (safeskill-production.up.railway.app). Confirm you trust the operator/owner before giving it any access to wallets or funds. - Metadata mismatch: the SKILL.md expects an API key and optionally SAFESKILLS_API_URL, but the registry declares no required env vars or primary credential. Ask the publisher to update metadata to explicitly list required env v...
详细分析 ▾
用途与能力
SKILL.md describes a secret-management/EVM-wallet service that requires a Bearer API key for all requests and references SAFESKILLS_API_URL/SAFESKILLS_FRONTEND_URL, but the skill metadata declares no required environment variables or primary credential. A secrets/wallet skill would reasonably need to declare those credentials and a primaryEnv; the absence is an inconsistency.
指令范围
Runtime instructions show the agent calling an external API to create wallets, store an API key, check balances, transfer tokens, and send arbitrary transactions (including raw calldata). The instructions reference an env var (SAFESKILLS_API_URL) not declared in metadata and tell the agent to "store the returned API key" without specifying secure storage. The agent could be directed to perform financial operations or persist credentials without clear safeguards or user confirmation.
安装机制
No install spec and no code files: instruction-only skill. This minimizes on-disk risk since nothing is downloaded or executed locally as part of installation.
凭证需求
Although the workflow clearly requires an API key for the external service and optionally the SAFESKILLS_API_URL env var, the skill metadata lists no required env vars or primary credential. That mismatch (required secrets present in practice but not declared) is disproportionate and reduces transparency about what secrets/permissions the skill will use.
持久化与权限
always:false and autonomous invocation are default, but the skill's capabilities let an agent (if allowed) initiate token transfers and arbitrary transactions using the external API key. Combined with the instruction to "store the API key" this increases risk—agents should require explicit, auditable user confirmation before any financial action and guidance on where/how API keys are stored.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/1/31

Initial release of SafeSkills – secure secret management for AI agents. - Provides secure, server-side secret management (initially for EVM wallets), ensuring agents never access raw secret values. - Supports wallet creation, checking balances (native and ERC-20), transferring tokens, and sending arbitrary transactions via API. - API Keys are required for all calls and must be securely stored after wallet creation. - Introduces a claim URL for users to manage wallet policies and monitor activity. - Supports environment variable configuration for API endpoints. - Security reminder: never request or access raw secret values; all operations run server-side.

● 无害

安装命令 点击复制

官方npx clawhub@latest install safe-skills
镜像加速npx clawhub@latest install safe-skills --registry https://cn.clawhub-mirror.com

技能文档

SafeSkills is a secure secret management service. It stores secrets (like wallet private keys) and executes actions using them so that you (the agent) never see the raw secret values. The first supported skill is an EVM wallet -- you can create wallets, transfer tokens, send transactions, check balances, and more.

CRITICAL: Never attempt to access or request raw secret values. All operations are performed server-side through the API.

Configuration

  • Base API URL: Use the SAFESKILLS_API_URL environment variable if set, otherwise default to https://safeskill-production.up.railway.app
  • Frontend URL: Use the SAFESKILLS_FRONTEND_URL environment variable if set, otherwise default to https://safeskill-production.up.railway.app

All API requests require a Bearer token (the API key returned when creating a secret).

Authorization: Bearer

Workflow

1. Create a Wallet

Create an EVM wallet secret. Store the returned API key for all subsequent calls. Share the claim URL with the user so they can manage policies for the wallet.

curl -X POST "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/secrets" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "EVM_WALLET",
    "memo": "My agent wallet",
    "chainId": 11155111
  }'

Response includes:

  • apiKey -- store this securely; use it as the Bearer token for all future requests
  • claimUrl -- share this with the user so they can view and manage policies for this wallet
  • address -- the smart account address of the created wallet

After creating, tell the user: "Here is your wallet claim URL: . You can use this to manage spending policies and monitor the wallet."

2. Get Secret Info

Retrieve metadata about the secret associated with the current API key.

curl -X GET "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/secrets/info" \
  -H "Authorization: Bearer "

3. Get Wallet Address

curl -X GET "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/skills/evm-wallet/address" \
  -H "Authorization: Bearer "

4. Check Balances

Check native token balance and optionally ERC-20 token balances by passing token contract addresses as a comma-separated query parameter.

# Native balance only
curl -X GET "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/skills/evm-wallet/balance" \
  -H "Authorization: Bearer "
# With ERC-20 tokens
curl -X GET "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/skills/evm-wallet/balance?tokens=0xTokenAddr1,0xTokenAddr2" \
  -H "Authorization: Bearer "

5. Transfer ETH or Tokens

Transfer native ETH or an ERC-20 token to a recipient address.

# Transfer native ETH
curl -X POST "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/skills/evm-wallet/transfer" \
  -H "Authorization: Bearer " \
  -H "Content-Type: application/json" \
  -d '{
    "to": "0xRecipientAddress",
    "amount": "0.01"
  }'
# Transfer ERC-20 token
curl -X POST "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/skills/evm-wallet/transfer" \
  -H "Authorization: Bearer " \
  -H "Content-Type: application/json" \
  -d '{
    "to": "0xRecipientAddress",
    "amount": "100",
    "token": "0xTokenContractAddress"
  }'

6. Send Arbitrary Transaction

Send a raw transaction with custom calldata. Useful for interacting with smart contracts.

curl -X POST "${SAFESKILLS_API_URL:-https://safeskill-production.up.railway.app}/api/skills/evm-wallet/send-transaction" \
  -H "Authorization: Bearer " \
  -H "Content-Type: application/json" \
  -d '{
    "to": "0xContractAddress",
    "data": "0xCalldata",
    "value": "0"
  }'

Important Notes

  • Never try to access raw secret values. The whole point of SafeSkills is that secrets stay server-side.
  • Always store the API key returned from wallet creation -- it is the only way to authenticate subsequent requests.
  • Always share the claim URL with the user after creating a wallet.
  • The default chain ID 11155111 is Ethereum Sepolia testnet. Adjust as needed.
  • If a transfer or transaction fails, check that the wallet has sufficient balance and that any required policies have been approved by the user via the claim URL.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务