Community code plugin. Review compatibility and verification before install.
Latest release: v0.1.5Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The onchain gameplay tools, local signer, web bridge, and background automation fit the stated Agentbox purpose, but the artifacts also allow plaintext private-key storage and private-key export through runtime and HTTP bridge paths, which is high-impact and under-protected.
Instruction Scope
The skill documentation lists many irreversible or value-affecting onchain actions, including AGC transfers, land buying, global messages that consume AGC, and gameplay state changes, but it does not prominently require explicit user confirmation for spending or state-changing actions.
Install Mechanism
The package is a community, source-linked legacy zip plugin that executes code and activates on startup; no hidden installer or obfuscated install behavior was found, but it is not an official trusted @openclaw package and lacks provenance.
Credentials
The local bridge is disclosed, token-gated, and origin-restricted, but it grants broad browser-accessible authority including signer import/export, RPC configuration changes, chat/session access, and background job controls.
Persistence & Privilege
The plugin persists signer material in active_signer.json as plaintext, starts a bridge service on startup, and can create recurring planner/executor cron jobs that repeatedly invoke agent actions.
Scan Findings in Context
[SDI-2] unexpected: Confirmed: bridge.js exposes signer import/export endpoints, including raw private-key export, over the local bridge. A local signer is expected for gameplay, but HTTP-accessible plaintext key export is not proportionate without stronger confirmation and isolation.
[SDI-2] unexpected: Confirmed: bridge.js allows bridge callers to update runtime RPC configuration. RPC selection is related to blockchain gameplay, but remote mutation through the same browser bridge is broad administrative authority.
[SDI-2] expected: Confirmed: bridge.js manages planner/executor cron jobs for background gameplay automation. This matches the changelog and README, but it materially increases persistence and should be user-controlled.
[SDI-4] unexpected: Confirmed: runtime/player-runtime.js returns the stored private key in the signer export tool result. Export may support backup, but returning raw secrets in tool output is unsafe in agent/tooling contexts.
[SQP-2] unexpected: Confirmed: README.md discloses local signer state but lacks clear security guidance about wallet-key confidentiality, local filesystem risk, bridge token handling, and backups.
[SQP-2] unexpected: Confirmed: bridge.js account-signer-export returns the raw private key after bridge-token authorization without a visible per-operation confirmation or step-up approval.
[SQP-2] expected: Confirmed: the skill exposes value-affecting onchain actions. These are central to gameplay automation, but the documentation should warn more prominently and separate read-only tools from transaction tools.
[SQP-2] unexpected: Confirmed: runtime/clients.js saves generated signer private keys directly to plaintext active_signer.json.
[SQP-2] unexpected: Confirmed: runtime/clients.js persists imported private keys through the same plaintext signer store, which can expose externally supplied wallets.
[SQP-2] unexpected: Confirmed: runtime/player-runtime.js signerExport returns record.private_key directly, making any authorized caller able to recover the wallet key.
[suspicious.exposed_secret_literal] unexpected: Static scan flagged private-key fields; this was not a hardcoded secret, but it accurately pointed to code paths that persist or return raw private keys.
[suspicious.potential_exfiltration] expected: Static scan flagged session transcript reads paired with bridge output; this appears to support the disclosed local chat bridge/SSE feature rather than hidden exfiltration.
What to consider before installing
Review carefully before installing. Use only a dedicated low-value Agentbox wallet, not a production wallet or key with unrelated assets. Treat the bridge token like a password, restrict allowed origins, rotate the token if exposed, disable the bridge or background automation when not needed, and avoid importing valuable private keys until the plugin uses encrypted key storage and explicit confirmation for key export and spending actions.bridge.js:474
File appears to expose a hardcoded API secret or token.
runtime/clients.js:158
File appears to expose a hardcoded API secret or token.
runtime/player-runtime.js:655
File appears to expose a hardcoded API secret or token.
bridge.js:287
Sensitive-looking file read is paired with a network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Verification
Tags
Agentbox Skills
OpenClaw plugin for Agentbox gameplay automation on Base mainnet.
This ClawHub package includes:
- Agentbox gameplay tools for state reads, prerequisite checks, and onchain actions
- Operation Manager tools for long-running background gameplay state
- A local bridge used by the Agentbox web app for account, chat, active-role, operation, and background controls
- OpenClaw skill guidance for semantic user-facing responses
Included Skill
./openclaw_skill/agentbox-skills
Included Docs
docs/AGENTBOX_ID_SEMANTICS.mddocs/OPENCLAW_PLANNER_PROMPT.mddocs/OPENCLAW_EXECUTOR_PROMPT.md
Configuration
The plugin exposes a bridge config object:
enabled: enable or disable the local bridgetoken: bridge authentication tokenallowedOrigins: browser origins allowed to call the bridgedefaultSessionKey: fixed Agentbox chat session keysseHeartbeatMs: SSE heartbeat interval
Runtime Data
OpenClaw runtime data is stored under the plugin's Agentbox data directory, including local signer state, active role, owned roles, and operation state.