Scan Report
5 /100
one-wallet
Helps the agent use the one-wallet CLI to manage Ethereum/EVM wallets, send transactions, call contracts, and sign data.
A legitimate Ethereum/EVM wallet CLI wrapper skill with fully declared capabilities, no hidden functionality, and appropriate security practices for handling cryptographic material.
Safe to install
Approve for use. This skill safely wraps the one-wallet CLI for Ethereum operations. No further security review required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: npm install -g one-wallet / yarn global add one-wallet |
| Network | READ | READ | ✓ Aligned | SKILL.md: RPC calls to Ethereum nodes via one-wallet provider |
| Environment | READ | READ | ✓ Aligned | SKILL.md: ONE_WALLET_KEY_<NAME>, ONE_WALLET_PASSWORD_<NAME>, ONE_WALLET_RPC_URL |
| Filesystem | READ | READ | ✓ Aligned | SKILL.md: ~/.one-wallet path, ABI file reads via --abi-file flag |
1 findings
Medium External URL 外部 URL
https://eth-mainnet.g.alchemy.com/v2/YOUR_KEY SKILL.md:76 File Tree
1 files · 8.5 KB · 347 lines Markdown 1f · 347L
└─
SKILL.md
Markdown
Security Positives
✓ All capabilities are clearly declared in SKILL.md with specific use cases
✓ Uses environment variables (ONE_WALLET_KEY_*, ONE_WALLET_PASSWORD_*) for secrets instead of hardcoding — appropriate for a wallet tool
✓ No obfuscation, base64 execution, or suspicious patterns detected
✓ No hidden instructions, comments, or shadow functionality present
✓ External dependencies are confined to the npm package 'one-wallet' with no direct code execution
✓ No credential harvesting beyond what is necessary for the wallet's core functionality
✓ Proper security guidance provided: 'Never hard-code real private keys or passwords in source-controlled files'
✓ RPC network calls are declared and necessary for blockchain interaction