📦 Kite Agent Smart Wallet Permissionless Protocol V2 — 智能钱包管理
v2.0.5用自然语言在 Telegram 发指令,安全创建 Kite AI 智能钱包、查余额、管会话、设限额并快捷转账。
0· 424·0 当前·0 累计
by @nihaovand下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to consider before installing or running this skill:
- Origin & trust: The skill's source is listed as unknown. Prefer code from an identified, trusted repository/author. If you don't know the author, treat the package as untrusted.
- Secret handling: The bot requires a private key and a Telegram token. Do NOT use a real/mainnet/private key. Use an empty/test wallet with minimal funds. Keep secrets out of repository commits — remove or gitignore your .env before pushing. GITHUB-SETUP.md i...详细分析 ▾
ℹ 用途与能力
The stated purpose (Telegram control of a Kite AI testnet smart wallet) matches the code: telegram-bot.js and kite-wallet.js implement create/balance/session/limit/send commands and call a factory contract on the testnet RPC. However the registry/metadata claims no required env vars or primary credential while the code clearly requires a private key and Telegram bot token (inconsistent declarations).
⚠ 指令范围
SKILL.md and README instruct the user to set PRIVATE_KEY and TELEGRAM_BOT_TOKEN and run node telegram-bot.js — that aligns with telegram-bot.js. But kite-wallet.js expects a different env name (KITE_WALLET_PRIVATE_KEY), and both JS files log wallet.address to stdout (potentially leaking sensitive data in logs). GITHUB-SETUP.md includes steps to push the repo to GitHub — combined with .env usage this risks accidental exposure of private keys if users follow that without removing .env. The code talks to only expected endpoints (rpc-testnet.gokite.ai and api.telegram.org) and does not exfiltrate to unknown domains, but the mismatched env names and logging are scope concerns.
✓ 安装机制
This is an instruction-only skill with included Node.js source and a standard package.json (ethers, dotenv). There is no remote download/install of arbitrary binaries or external archives; npm install is expected. No high-risk install URLs or extract steps are present.
⚠ 凭证需求
The skill reasonably needs a private key and a Telegram bot token to operate. However the registry metadata lists no required env vars while SKILL.md and the code require PRIVATE_KEY/TELEGRAM_BOT_TOKEN (telegram-bot.js) and KITE_WALLET_PRIVATE_KEY (kite-wallet.js) — this inconsistency can lead to misconfiguration and accidental key exposure. The number of secrets requested is proportionate, but the mismatch in env names and guidance to push repositories increases risk.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system-wide settings, and runs locally as a user process. It uses standard network APIs to talk to Telegram and the testnet RPC. No persistent privileged installation behavior is present.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.52026/2/25
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install kite-agent-smart-wallet-permissionless-protocol-v2
镜像加速npx clawhub@latest install kite-agent-smart-wallet-permissionless-protocol-v2 --registry https://cn.longxiaskill.com