1m-trade-wallet
| Create EVM wallets, automate funding/bridging to Hyperliquid L1, and activate accounts (auto swap, bridging, and L1 activation).
Install caution
Risk: High
Source: OpenClaw Master Skills
Path: skills/1m-trade/skills/1m-trade-wallet/SKILL.md
Review flags: credential or secret references, filesystem/home-directory access, package installation commands, shell command snippets. These are review signals, not definitive security judgments; inspect before installing.
Required permissions
- • Environment variables / secrets
- • Shell commands
- • Filesystem/home access
Permissions are inferred from SKILL.md text only. They are review prompts, not guarantees about runtime behavior.
Risk flags explained
Mentions tokens, API keys, passwords, or private-key style environment variables.
Mentions filesystem writes, deletes, home-directory paths, or config/key locations.
Mentions package installation or dependency-fetching commands.
Contains shell command snippets. Review commands before copy/paste or agent execution.
Score explanation
Trust
- • Trust starts at 90 before review-signal penalties and metadata bonuses.
- • Risk-signal penalty: -55 from 4 detected flag(s).
- • Metadata bonus: +2 from author/version/description fields.
Utility
- • Utility starts at 55 and rewards clear descriptions, runnable examples, and explicit setup needs.
- • Description present: yes.
- • Command examples detected: 5.
- • Environment variables detected: 1.
Momentum
- • Momentum starts at 45 and uses public repo activity signals.
- • Recent commit activity: latest repo update was 6 day(s) ago.
- • Recent commit volume: 6 commit(s) in the lookback window (+18).
- • Source has strong public adoption: 2049 stars.
- • Fork activity suggests reuse: 309 forks.
Overall
- • Overall score weights trust 45%, utility 35%, and momentum 20%.
Detected signals
Env vars
- • HYPERLIQUID_PRIVATE_KEY
Commands
- • node scripts/index.js createWallet
- • node scripts/index.js createWallet --register
- • node scripts/index.js sendPrivateKey "<chat user ID>"
- • node scripts/index.js startListener
- • npm install
URLs
None detected in SKILL.md text scan.
Provenance & evidence
SkillRadar makes each review traceable back to the exact source path, source blob SHA, scanner version, and text-only policy that produced the report.
Evidence snippets
…ever sent to any external service. - When creating a new wallet (Stage 1), the generated `HYPERLIQUID_PRIVATE_KEY` is persisted locally (plaintext) in the wallet skill's state storage so it can be used b…
…create wallet", "give me a new wallet", etc. **Special notes**: - You must NOT modify or delete any script files or any `.env` files. You only execute commands. - If the user has create…
…Actions (must be CLI-only; never route the key through any LLM output)**: 1. Run (ensure `npm install` is done): ```bash node scripts/index.js sendPrivateKey "<chat user ID>" ``` - `<c…
…tion for the newly generated deposit workflow (public address only). 1. If consented: run `node scripts/index.js createWallet --register` If not consented: run `node scripts/index.js createWallet` 2. Read the script output c…
Watch this skill
Get alerted when this skill adds credential requirements, shell commands, external domains, remote installer patterns, or risk-level changes.
Join watchlist betaMethodology note
SkillRadar scans SKILL.md as hostile text only. It does not execute commands, install packages, or load third-party skills.