MuHaven RWA Portfolio — OpenClaw skill
This skill bundles a curated subset of @muhaven/mcp plus an OpenClaw-shaped
config bundle. It runs in OpenClaw's NemoClaw runtime (or any MCP host that
honours the manifest's permissions block) and connects to the live
MuHaven backend at https://api.muhaven.app.
What it does
- Reads your encrypted RWA portfolio — balances stay encrypted with Fhenix CoFHE; the skill never sees plaintext.
- Stages buy + claim intents for the OpenClaw surface — the skill never auto-submits. Every intent emits a structured confirmation request to one of three tiers based on amount.
- Surfaces audit log for compliance / forensics.
/pausekill-switch uninstalls the on-chain@zerodev/permissionsvalidator within one Arb block.
What it intentionally cannot do
- Move funds without your passkey. The skill issues unsigned UserOp
envelopes; signing happens in the
muhaven-brokerdaemon (≤$200 inline callback) or in your dashboard / Mini App (>$200 tiers). - Speak to anything outside the egress allowlist.
manifest.json'snetwork.deny_default: truemeans a tampered binary cannot exfiltrate to a third party. - Read or write your filesystem.
permissions.filesystem.{read,write}: []. - Spawn child processes.
permissions.process.spawn: []. - Store any secret. JWT lives in
muhaven-broker's OS-keychain entry; the skill calls the broker over Unix-socket / named-pipe IPC.
How to install
- Install plain OpenClaw + ClawHub CLI globally:
(Runtime decision 2026-05-11: plain OpenClaw undernpm install -g openclaw@latest clawhub openclaw --version # confirm install clawhub --versionsandbox.fallback: host_native. NemoClaw remains the preferred runtime claim inmanifest.jsonfor forward-compat; today's deploy targets plain OpenClaw.) - Install the broker daemon separately as a global so its bin
lands on
$PATHregardless of ClawHub's bin-handling:
(ClawHub install resolves the skill's transitivenpm install -g @muhaven/mcp@0.1.2 muhaven-broker --version # sanity check@muhaven/mcpdep into a runtime-localnode_modules. Themuhaven-brokerbin may not surface on$PATHwithout this separate global install.) - Install the skill:
clawhub install muhaven-rwa-skill@0.1.0 - Start the broker daemon:
muhaven-broker(see@muhaven/mcpREADME). - Authenticate:
muhaven-broker login— opens browser tohttps://muhaven.app/link?code=XXXX-XXXX, complete passkey. - Optional: link your Telegram account for the
/agent/openclaw/*confirmation surface. From the dashboard/agentpage → Telegram tab → "Link Telegram" → message the bot at@muhaven_botwith the one-time link code.
Confirmation tiers
The skill never executes a state-mutating action without a confirmation. Three tiers based on intent notional (USDC):
| Range | Surface | Why |
|---|---|---|
| ≤ $200 | Telegram inline keyboard "Confirm" button | Low blast radius. Same trust model as a $200 mobile wallet payment — single-tap inline. |
| $200 – $5,000 | Mini App with 6-digit OTP sent via separate Telegram message | Defends against a chat-stuffing attack where the LLM emits a Confirm button users tap on autopilot. OTP is out-of-band. |
| > $5,000 | Deep-link to dashboard https://muhaven.app/agent/confirm?intent=… for passkey signature | Phishing-resistant by construction — WebAuthn RP-ID is bound to the dashboard origin; a Telegram-based MITM cannot complete passkey. |
Tier boundaries are audit-logged in agent_audit_events with the
amount-bucket the intent fell into. Investors can lower the boundaries
in the dashboard /agent policy tab; they cannot raise them above the
hardcoded ceilings (regulatory + Reg BI Care Obligation).
Hardening invariants (do NOT relax without audit)
permissions.network.deny_default: true— every new endpoint requires a manifest update + signed re-publish.permissions.secrets.storage: os_keychain— paste-token UX is forbidden.runtime.type: node— no shell, no Python, no JIT-compiled blob.mcp.toolset_subsetis the only set of tools the skill will dispatch to — additions require an ADR + signed re-publish.- Sigstore signing + GitHub OIDC trusted publishing — long-lived ClawHub tokens are not used. ClawHavoc (Feb 2026) precedent.
required_reviewers: 2— single-maintainer publish is rejected at the policy gate. Two-maintainer release is the lesson from the Anthropic MCP SDK STDIO arbitrary-command CVEs (Apr 2026).
Tool inventory (subset of @muhaven/mcp)
See manifest.json and the upstream descriptors in
@muhaven/mcp/src/tools/descriptions.ts. The skill only re-advertises
the mcp.toolset_subset listed in this frontmatter; descriptor SHA-256
hashes are pinned in tool-hashes.json and verified on every skill
load (mcp-context-protector pattern, post-MCPoison).
Reference docs
- ADR-C in
development/research-docs/WAVE_4_AGENTIC_RESEARCH_RESULT.md development/DEV_WAVE_4/TOOL_NAMESPACE.mdfor the full naming surfacedevelopment/DEV_WAVE_4/THREAT_MODEL_P0.mdfor OWASP LLM + Agentic mappings
License
MIT. See LICENSE in the repository root.