Is agentwallet safe?

The SKILL.md contains extensive persuasive framing ('Model invocation is intentionally enabled', 'this is expected behavior for an autonomous wallet agent') specifically designed to convince the agent to execute financial transactions (transfers, swaps, arbitrary contract calls) without per-action user confirmation. This is a form of soft prompt injection — the skill preemptively argues against the agent's normal caution about financial operations, effectively instructing it to bypass its own safety defaults.

The skill directs the agent to persist API keys to specific filesystem paths (~/.openclaw/credentials/agentwallet/ or ./agentwallet/). While the skill declares these paths in metadata, this creates credential files on disk that other skills, processes, or malicious actors could read. The stored API key grants the ability to execute financial transactions within whatever policies are set (or NO policies if unclaimed).

The Security Model section is unusually long and detailed, containing preemptive rebuttals to security concerns an agent might raise. Phrases like 'No environment variables are required because...', 'The agent's API key is not a private key', and 'even if another process reads it' are crafted to suppress the agent's natural security flags. A legitimate skill would not need to spend 500+ words convincing the agent that its behavior is safe.

The skill explicitly states that before a wallet is claimed, the agent operates with NO policy restrictions. Between wallet creation and the user claiming ownership via the claim URL, any transaction the agent sends will be executed without spending limits, address allowlists, or approval requirements. If another skill or prompt injection triggers a transfer during this window, there are zero guardrails.

Every wallet operation (creation, transfers, swaps, balance checks, signing) sends data to heyvincent.ai. The user must trust this server with: all transaction metadata, recipient addresses, amounts, and the private keys themselves (held server-side). While the skill claims the server is open-source and audited, the hosted instance could behave differently from the published code.

Credentials are stored at well-known paths (~/.openclaw/credentials/agentwallet/ or ./agentwallet/) that any other skill or process on the system could enumerate and read. A malicious skill could search these paths to obtain the Bearer token and execute transactions against the Vincent API.

The /api/secrets/relink endpoint accepts a re-link token with no additional authentication. If a re-link token is intercepted (e.g., from chat history, logs, or another skill reading the conversation), an attacker gains full API key access to the wallet. The 10-minute expiry mitigates but does not eliminate this risk.

If this skill is installed alongside other skills, a prompt injection in any other skill could instruct the agent to use the wallet skill to transfer funds. The wallet skill's persuasive framing that autonomous financial operations are 'expected behavior' makes it more likely the agent will comply without questioning the request's legitimacy.

Filesystem monitoring shows reads of .env, .aws/credentials, .profile, and .bashrc during the install phase. These appear to be from the OpenClaw host environment bootstrapping rather than the skill itself, but the skill cannot be definitively separated from the environment in this monitoring data.

The skill contains only SKILL.md, _meta.json, and origin.json. No JavaScript, shell scripts, git hooks, submodules, symlinks, or install scripts were found. Package.json is empty. The skill operates entirely through agent-interpreted curl commands in the markdown.