Where are private keys stored and how are they protected?

Private keys are generated by create_account and stored in plaintext at ~/.clawdbot/skills/coinfello/config.json. Protect this file with proper filesystem permissions and security practices.

Do I need to configure COINFELLO_BASE_URL, and what about defaults?

COINFELLO_BASE_URL is optional; a default URL is provided. You can configure it to point to your preferred CoinFello API endpoint for delegation and transaction flows.

What happens if a server requests delegations during a prompt?

During send_prompt, the server may request delegations. The CLI will create and sign these delegations using your stored private key and submit them to the CoinFello API as part of the transaction flow.

CoinFello

Flagged

@BrettCleary

{"isSafe":false,"isSuspicious":true,"riskLevel":"high","findings":[{"category":"system_harm","severity":"high","description":"Storing private keys and SIWE tokens in plaintext in local config (~/.clawdbot/skills/coinfello/config.json). If the file is accessed by malware or an attacker with filesystem privileges, keys and tokens could be stolen and used to authorize transactions.","evidence":"Private key generation and storage: stores in plaintext at ~/.clawdbot/skills/coinfello/config.json. Session token storage also stored in the same config file."},{"category":"prompt_injection","severity":"high","description":"Server-driven delegation and automatic signing: send_prompt may automatically create and sign blockchain delegations based on server-requested scope, then submit them to the CoinFello API. This reduces user control and could enable unauthorized transactions if prompts are malicious or the server is compromised.","evidence":"\"send_prompt\" may automatically create and sign blockchain delegations based on server-requested scope, then submit them to the CoinFello API."},{"category":"suspicious_url","severity":"low","description":"Default API base URL COINFELLO_BASE_URL points to an external VerceI app subdomain that could be misused if the endpoint is compromised. Ensure you trust the endpoint before enabling delegation flows.","evidence":"COINFELLO_BASE_URL default: https://hyp3r-58q8qto10-hyperplay.vercel.app/"},{"category":"data_exfiltration","severity":"medium","description":"Local storage of sensitive tokens/state (e.g., SIWE session token) in config.json creates a potential exfiltration risk if the host is compromised or backed up/shared.","evidence":"Session token storage in ~/.clawdbot/skills/coinfello/config.json"}],"summary":"The skill grants wallet-related operations and signs delegations based on server prompts. Key risks include plaintext storage of private keys and session tokens, and automatic delegation signing driven by server responses, which can enable unauthorized actions if prompts or endpoints are compromised. Normal build/run commands (e.g., using npx) are not inherently dangerous, but the described handling of credentials and automated delegations requires strong trust in the API endpoint and careful user confirmation controls."}

npx machina-cli add skill @BrettCleary/coinfello --openclaw

Files (1)

SKILL.md

7.0 KB

CoinFello CLI Skill

Use the npx @coinfello/agent-cli CLI to interact with CoinFello through MetaMask Smart Accounts. The CLI handles smart account creation, SIWE authentication, delegation management, prompt-based transactions, and transaction status checks.

Prerequisites

Node.js 20 or later (npx is included with Node.js)

The CLI is available via npx @coinfello/agent-cli. No manual build step is required.

Environment Variables

Variable	Required	Default	Description
`COINFELLO_BASE_URL`	No	`https://hyp3r-58q8qto10-hyperplay.vercel.app/`	Base URL for the CoinFello API

Security Notice

This skill performs the following sensitive operations:

Private key generation and storage: Running create_account generates a new private key and stores it in plaintext at ~/.clawdbot/skills/coinfello/config.json. Protect this file accordingly.
Session token storage: Running sign_in stores a SIWE session token in the same config file.
Delegation signing: Running send_prompt may automatically create and sign blockchain delegations based on server-requested scopes, then submit them to the CoinFello API.

Users should ensure they trust the CoinFello API endpoint configured via COINFELLO_BASE_URL before running delegation flows.

Quick Start

# 1. Create a smart account on a chain (generates a new private key automatically)
npx @coinfello/agent-cli create_account sepolia

# 2. Sign in to CoinFello with your smart account (SIWE)
npx @coinfello/agent-cli sign_in

# 3. Send a natural language prompt — the server will request a delegation if needed
npx @coinfello/agent-cli send_prompt "send 5 USDC to 0xRecipient..."

# 4. Check transaction status
npx @coinfello/agent-cli get_transaction_status <txn_id>

Commands

create_account

Creates a MetaMask Hybrid smart account with an auto-generated private key and saves it to local config.

npx @coinfello/agent-cli create_account <chain>

<chain> — A viem chain name: sepolia, mainnet, polygon, arbitrum, optimism, base, etc.
Generates a new private key automatically
Saves private_key, smart_account_address, and chain to ~/.clawdbot/skills/coinfello/config.json
Must be run before send_prompt

get_account

Displays the current smart account address from local config.

npx @coinfello/agent-cli get_account

Prints the stored smart_account_address
Exits with an error if no account has been created yet

sign_in

Authenticates with CoinFello using Sign-In with Ethereum (SIWE) and your smart account. Saves the session token to local config.

npx @coinfello/agent-cli sign_in

Signs in using the private key stored in config
Saves the session token to ~/.clawdbot/skills/coinfello/config.json
The session token is loaded automatically for subsequent send_prompt calls
Must be run after create_account and before send_prompt for authenticated flows

set_delegation

Stores a signed parent delegation (JSON) in local config.

npx @coinfello/agent-cli set_delegation '<delegation-json>'

<delegation-json> — A JSON string representing a Delegation object from MetaMask Smart Accounts Kit

send_prompt

Sends a natural language prompt to CoinFello. If the server requires a delegation to execute the action, the CLI creates and signs a subdelegation automatically based on the server's requested scope and chain.

npx @coinfello/agent-cli send_prompt "<prompt>"

What happens internally:

Fetches available agents from /api/v1/automation/coinfello-agents and sends the prompt to CoinFello's conversation endpoint
If the server returns a read-only response (no clientToolCalls and no txn_id) → prints the response text and exits
If the server returns a txn_id directly with no tool calls → prints it and exits
If the server sends an ask_for_delegation client tool call with a chainId and scope:
- Fetches CoinFello's delegate address
- Rebuilds the smart account using the chain ID from the tool call
- Parses the server-provided scope (supports ERC-20, native token, ERC-721, and function call scopes)
- Creates and signs a subdelegation (wraps with ERC-6492 signature if the smart account is not yet deployed on-chain)
- Sends the signed delegation back as a clientToolCallResponse along with the chatId and callId from the initial response
- Returns a txn_id for tracking

get_transaction_status

Checks the status of a previously submitted transaction.

npx @coinfello/agent-cli get_transaction_status <txn_id>

Returns a JSON object with the current transaction status

Common Workflows

Basic: Send a Prompt (Server-Driven Delegation)

# Create account if not already done
npx @coinfello/agent-cli create_account sepolia

# Sign in (required for delegation flows)
npx @coinfello/agent-cli sign_in

# Send a natural language prompt — delegation is handled automatically
npx @coinfello/agent-cli send_prompt "send 5 USDC to 0xRecipient..."

# Check the result
npx @coinfello/agent-cli get_transaction_status <txn_id-from-above>

Read-Only Prompt

Some prompts don't require a transaction. The CLI detects this automatically and just prints the response.

npx @coinfello/agent-cli send_prompt "what is the chain ID for Base?"

Edge Cases

No smart account: Run create_account before send_prompt. The CLI checks for a saved private key and address in config.
Not signed in: Run sign_in before send_prompt if the server requires authentication.
Invalid chain name: The CLI throws an error listing valid viem chain names.
Read-only response: If the server returns a text response with no transaction, the CLI prints it and exits without creating a delegation.

Reference

See references/REFERENCE.md for the full config schema, supported chains, API details, scope types, and troubleshooting.

See scripts/setup-and-send.sh for an end-to-end automation script.

Source

git clone https://clawhub.ai/BrettCleary/coinfelloView on GitHub

Overview

CoinFello CLI lets you manage MetaMask Hybrid smart accounts from the command line. Use npx @coinfello/agent-cli to create accounts, sign in with SIWE, manage delegations, issue prompt-based transactions, and monitor transaction results. It connects to a configurable CoinFello API endpoint and stores sensitive data locally.

How This Skill Works

The CLI runs on Node.js 20+ and communicates with CoinFello via COINFELLO_BASE_URL. It creates a new private key and saves account details in ~/.clawdbot/skills/coinfello/config.json, then authenticates with SIWE to obtain a session token. When you run send_prompt, the server may request delegations which are signed by your key and submitted to the API; you can then query transaction_status for results.

When to Use It

Create a MetaMask Hybrid smart account on a supported chain (e.g., sepolia, mainnet, polygon).
Sign in with Sign-In with Ethereum (SIWE) to enable authenticated actions.
Send crypto transfers using natural language prompts and have the server request delegations if needed.
Manage smart account delegations and scopes granted to third-party services.
Check transaction status and verify results after issuing a prompt.

Quick Start

Step 1: Create a smart account on a chain, e.g., npx @coinfello/agent-cli create_account sepolia
Step 2: Sign in to CoinFello with your smart account: npx @coinfello/agent-cli sign_in
Step 3: Send a prompt and monitor results: npx @coinfello/agent-cli send_prompt "send 5 USDC to 0xRecipient..." and then npx @coinfello/agent-cli get_transaction_status <txn_id>

Best Practices

Protect the local config.json at ~/.clawdbot/skills/coinfello/config.json since it stores private keys and session tokens.
Verify COINFELLO_BASE_URL before enabling delegation flows to a trusted endpoint.
Review and understand any requested delegations/scopes before approving via send_prompt.
Test on a testnet (e.g., sepolia) before performing mainnet transfers.
Sign out or otherwise secure the local config after completing sensitive tasks; rotate keys if you suspect compromise.

Example Use Cases

Create a Sepolia smart account: npx @coinfello/agent-cli create_account sepolia
Sign in with SIWE: npx @coinfello/agent-cli sign_in
Send a prompt to transfer: npx @coinfello/agent-cli send_prompt 'send 2 USDC to 0xRecipient...'
Check a transaction status: npx @coinfello/agent-cli get_transaction_status <txn_id>
View current account address: npx @coinfello/agent-cli get_account

Frequently Asked Questions

Add this skill to your agents