📦 Kite Agent Smart Wallet V3 — 链上钱包管理

v3.0.2

通过 Telegram 与 OpenClaw 控制 Kite AI 链上钱包，一键完成创建、余额查询、转账、会话密钥与限额设置，免本地运行，安全便捷。

0· 413·0 当前·0 累计

by @nihaovand

自动化 API工具安全智能体

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill's code requires a wallet private key and grants on-chain control, but the SKILL.md and metadata do not declare or explain this secret requirement—this mismatch is risky and needs clarification before use.

评估建议

Do not install or use this skill until the author clarifies how signing keys are handled. Specific points to request/verify: 1) Where/how the wallet private key is provided and stored (the code expects a private key but SKILL.md/metadata do not declare this). 2) Who controls the private key used to create/send funds (giving the key to the agent equals giving custody of funds). 3) Why session keys are added with an all-functions selector and whether they can be scoped more narrowly. 4) Confirm th...

详细分析 ▾

⚠ 用途与能力

The skill claims to let users control Kite wallets via OpenClaw/Telegram, which is plausible, but the included code expects a signing private key (referenced in console output as KITE_WALLET_PRIVATE_KEY). The skill metadata declares no required environment variables or credentials — that is inconsistent with the code's need to hold a wallet private key to sign transactions.

⚠ 指令范围

SKILL.md describes commands and RPC/contract info but does not mention how the agent obtains the required wallet private key or where it should be stored. The runtime code will initialize a wallet from a private key and perform sends, create wallets, and add session keys (the addSessionKey call is configured to allow 'all functions' via a general selector), which implies sensitive, privileged actions that SKILL.md does not disclose or constrain.

ℹ 安装机制

There is no install spec (instruction-only), lowering install risk. However package.json/package-lock include ethers and other npm deps, so running the code will require installing node deps; the absence of an explicit install step is an operational omission but not itself malicious. Dependencies are standard and expected for Ethereum interaction.

⚠ 凭证需求

The code requires a wallet private key to sign transactions, but requires.env/primary credential are empty in the declared metadata. Requesting an uncompensated, undeclared secret that grants custody/transfer ability is disproportionate and should be explicitly declared and justified. The skill will have the ability to send funds and set session keys with broad permissions.

✓ 持久化与权限

always is false and there are no declared config path or system-modifying behaviors. The skill does not request permanent, system-level presence. The main concern is secret custody rather than persistence or privilege escalation in the platform.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv3.0.22026/2/25

- Internal improvements to kite-wallet.js for version 3.0.2. - No changes to user-facing features or documentation.

● 可疑

安装命令

点击复制

官方npx clawhub@latest install kite-agent-smart-wallet-v3

镜像加速npx clawhub@latest install kite-agent-smart-wallet-v3 --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库