MCP Server for Rustok — connects Claude Desktop, Cursor, and cloud agents to the Rustok wallet via Gateway.
The wallet ships as one self-contained Docker image (Core + Gateway + MCP over
stdio); keys live only in a local Docker volume and never leave your machine.
Follow the Installation Guide: run create-wallet once, then
add it as a stdio MCP server in Claude Desktop / Cursor.
The wallet skill (skills/rustok-wallet/)
installs straight from this repo:
# skills CLI (Claude Code, Cursor, and other agents) — https://skills.sh
npx skills add rustok-org/mcp
# Hermes Agent
hermes skills tap add rustok-org/mcp
hermes skills install rustok-org/mcp/rustok-walletFor OpenClaw it is published on ClawHub.
- Official MCP Registry — the wallet server is published as
io.github.rustok-org/rustok-wallet(OCI packageghcr.io/rustok-org/rustok-wallet, stdio), for MCP clients that resolve servers from the registry. - ClawHub — the agent skill for OpenClaw: clawhub.ai/temrjan/skills/rustok-wallet.
# Install dependencies
uv sync --dev
# Run the server
uv run rustok-mcp
# Or run stdio transport
uv run rustok-mcp-stdiodocker build -t rustok-mcp .
docker run -p 127.0.0.1:3001:3001 -e RUSTOK_MCP_HOST=0.0.0.0 rustok-mcpTo run the full stack (MCP → Gateway → Core + Redis), use the compose file
in rustok-org/meta.
The network-facing SSE transport is gated by a shared bearer token.
- Inbound (
RUSTOK_MCP_INBOUND_API_KEY) — clients must sendAuthorization: Bearer <token>to reach/mcp/sseand/mcp/message. Distinct from the outboundRUSTOK_MCP_API_KEY(MCP → Gateway). - Dev: leave it empty — the loopback flow stays open and the server logs a warning at startup.
- Prod: required. The token must travel in the request header, never in a
query string (query strings leak into access logs). Generate one with
openssl rand -hex 32. - The browser
EventSourceAPI cannot set headers and is not a supported client; use an MCP client that sends request headers. /healthis always public (used by the container healthcheck).- The local stdio transport is process-trusted and not gated.
⚠️ The MCP has no built-in brute-force / rate-limit protection. Terminate it behind the edge proxy (Caddy) with host-level rate limiting (see therustok-org/metadeploy docs); do not expose it to the internet directly.
Rustok is a self-custody AI-native crypto wallet. The MCP Server is a thin bridge between LLM agents and the Rustok Gateway — private keys never leave the Core service (they stay in the local keystore volume).
- Self-custody: keys are encrypted at rest (Argon2id + AES-256-GCM) and only decrypted inside Core on your machine.
- Capability-gated tools (
read_wallet/preview_tx/execute_tx): the stdio transport is process-trusted (all by default; restrict withRUSTOK_MCP_CAPABILITIES); the network-facing SSE transport is bearer-gated. - No spending policy by design: no hard-coded limits, budgets, or blocklists —
you consciously accept the risk of funds on the agent wallet.
txguardsurfaces a risk level on preview but does not block. Opt-in limits may come later. - Chains are opt-in: set
RUSTOK_ALLOWED_CHAINS(default1,8453— Ethereum + Base); enable another chain by providing its RPC (RUSTOK_RPC_URLS_<id>or an Alchemy key). - Informed preview:
preview_transactionreturns the decoded call (who/what is authorized), a pre-sign simulation (revert check), gas, and a txguard risk level. Execution is not exposed as an MCP tool. - Audit logging: every action is append-only logged to SQLite in Core.
This repository is licensed under MIT-0.
The Rustok Core wallet engine is a proprietary artifact built from the private rustok-org/core repository.