Is glitch003/vincent safe?

The skill grants the agent standing authority to transfer ETH, swap tokens, and call arbitrary smart contracts. No confirmation is required per transaction. The only safeguard is the wallet policy system, which is empty by default until the wallet owner manually claims and configures it. A manipulated or compromised agent could drain a funded wallet. This is inherently high-risk for any agent exposed to external content.

The private key is generated entirely server-side by heyvincent.ai and is never accessible to the user or the agent. Users must trust heyvincent.ai's security posture, business continuity, and integrity. A compromise, shutdown, or malicious action by heyvincent.ai results in complete loss of access to funds. The skill provides no mechanism for key export or self-custody migration.

The skill explicitly instructs the agent: 'If a user tells you they have a re-link token, use this endpoint to regain access to the wallet.' The re-link endpoint requires no authentication beyond the token itself, which expires in 10 minutes and is one-time use. An attacker who can inject text into the agent's context (malicious webpage, document, email, another skill's output) could claim possession of a re-link token and redirect wallet API access without the legitimate owner's knowledge.

The RAW_SIGNER wallet type can sign any hex-encoded byte sequence with ECDSA (Ethereum secp256k1) or Ed25519 (Solana). This bypasses the smart account and its associated policy guardrails. A prompt-injection attack presenting the agent with a crafted hex payload — disguised as a legitimate signing request — could authorize arbitrary external transactions or message signatures without spending-limit enforcement.

The skill instructs the agent to persist wallet Bearer tokens at either ~/.openclaw/credentials/agentwallet/.json (openclaw instances) or ./agentwallet/.json (other environments). These predictable paths could be read by other skills, processes, or injected instructions that have filesystem read access, enabling credential theft without direct interaction with the wallet service.

The send-transaction endpoint accepts any EVM contract address and calldata hex payload, enabling the agent to call malicious contracts, approve unlimited ERC-20 allowances to attacker addresses, or execute any on-chain operation. Combined with a browsing or document-reading skill, prompt injection from external sources (e.g. a DeFi site with hidden instructions) could direct the agent to execute harmful contract interactions.

Every API request — including wallet creation, balance queries, transaction history, market positions, and executed trades — passes through heyvincent.ai. This third party maintains a complete record of the agent's financial activity and has the technical ability to censor, modify, or log all transactions.

Installation used a standard Git sparse checkout from github.com/openclaw/skills.git. All observed outbound network connections during install were to GitHub (140.82.114.3:443) and Ubuntu/Canonical servers (185.125.x.x:443). No unexpected DNS queries, process spawning, or filesystem writes outside the skill directory were detected.

Post-install canary verification confirmed that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json were not modified or exfiltrated. The auditd PATH events showing access to these files at timestamps 1771948783 and 1771948800 are consistent with Oathe's own pre/post-install baseline scanning process.