MistTrack Skills

Sub-skill Index

This skill pack contains two functional modules, each defined under the skills/ directory:

Security

> Read this section before setting any environment variables or invoking payment features.

MISTTRACK_API_KEY

A standard API key for read-only AML queries. No on-chain access. Set via environment variable or --api-key flag.

x402 Private Key — High Sensitivity

scripts/pay.py can sign and broadcast on-chain USDC transactions when a private key is supplied via --key-file.

Enforced in code (runtime, unconditional):

• Hard cap: $1.00 USDC per call — amounts above this are rejected before signing, regardless of flags.
• X402_PRIVATE_KEY environment variable is refused — pay.py exits with an error if this variable is set in the environment.
• Private keys must be supplied via --key-file — the key is read from a permission-restricted file at invocation time and never appears on the command line.

Advisory only (harness-dependent, not enforced by this package):

• skills/payment.md sets disable_model_calls: true — signals agent platforms to block autonomous invocation. Platforms such as OpenClaw/skills.sh enforce this field; on other platforms it is advisory only.

Remaining risks:

• An operator who supplies --key-file and adds --auto can trigger unattended payments (intentional for testing; do not use in production).

Recommended practice:

1. Prefer MISTTRACK_API_KEY for all normal usage — it is read-only and never touches on-chain state.
2. If x402 is needed, store the key in a chmod 600 file and pass it via --key-file at invocation time.
3. Never pass --auto in production agent pipelines.

Quick Reference

Pre-Transfer Security Check (Most Common)

Before executing any transfer or withdrawal, run the following script to check the recipient address for AML risk:

python3 scripts/transfer_security_check.py \
  --address <recipient_address> \
  --chain <chain_code> \
  --json

Exit Code: 0=ALLOW / 1=WARN / 2=BLOCK / 3=ERROR

See skills/core.md for detailed decision logic.

Full Address Investigation

python3 scripts/address_investigation.py --address 0x... --coin ETH

x402 Pay-per-Use

When no API Key is available, use scripts/pay.py to pay per call with USDC.

Private keys must be stored in a permission-restricted file and passed via --key-file:

echo "your_hex_private_key" > ~/.x402_key && chmod 600 ~/.x402_key
python3 scripts/pay.py pay --url "..." --key-file ~/.x402_key --chain-id 8453

See skills/payment.md for details and security considerations.

Environment Variables

> When MISTTRACK_API_KEY is set, all scripts use API Key mode (read-only, no on-chain access).

> For x402 pay-per-use, store the private key in a chmod 600 file and pass it via --key-file at invocation time. X402_PRIVATE_KEY environment variable is not supported and causes pay.py to exit with an error.

Python Dependencies

# Core AML scripts (risk_check, batch_risk_check, transfer_security_check,
#                   address_investigation, multisig_analysis)
pip install -r requirements.txt

# pay.py only (x402 EVM + Solana payments)
pip install -r requirements-pay.txt

Script Reference