ERCData
v1.0.0Store, verify, and manage AI data on the Ethereum blockchain (Base network) using the ERCData standard. Use when an agent needs to store data fingerprints on-chain, verify data integrity, create audit trails, manage access control for private data, or interact with the ERCData smart contract. Supports public and private storage, EIP-712 verification, snapshots, and batch operations.
⭐ 1· 1.6k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, and the included CLI script consistently implement on-chain ERCData operations on Base (store/read/verify/grant/revoke/register/snapshot). Requiring an ERCDATA_KEY (private key) and ERCDATA_CONTRACT is coherent with the stated purpose. However, the registry metadata claims no required env vars or primary credential while the runtime instructions and code require ERCDATA_KEY and ERCDATA_CONTRACT — a packaging/metadata inconsistency.
Instruction Scope
SKILL.md and the script instruct only on interacting with the specified smart contract and Base RPC. Commands and flags are limited to transaction signing, reading contract state, and access control; there are no instructions to read unrelated host files, contact unexpected endpoints, or exfiltrate arbitrary data. The default RPC is https://mainnet.base.org (expected for Base).
Install Mechanism
No install spec is provided (instruction-only in registry), yet the SKILL.md and script require Python (3.10+) and third-party packages (web3, eth-account). The script prints a pip install hint and will fail if dependencies are missing; packaging should declare dependencies or provide an install procedure. No remote downloads or suspicious URLs are used, but the lack of a declared install mechanism is a packaging omission to be aware of.
Credentials
The runtime requires a sensitive credential (ERCDATA_KEY — an Ethereum private key) and ERCDATA_CONTRACT/RPC; these are proportionate to signing and submitting transactions. The problem is that the skill registry metadata does not declare these required env vars or a primary credential. Failing to declare a required private key is a material omission because supplying that key grants the skill power to sign on-chain transactions (and potentially spend funds).
Persistence & Privilege
The skill does not request always: true and is user-invocable with normal autonomous invocation allowed. It does not attempt to modify other skills or system-wide settings. There is no evidence it persists credentials or alters agent config beyond using the provided key at runtime (which is expected for blockchain transaction signing).
What to consider before installing
This skill appears to implement ERCData interactions correctly, but exercise caution because the package metadata omits required dependencies and the private-key environment variable. Before installing or running:
- Do not place a funded private key (ERCDATA_KEY) in shared or persistent environment variables unless you fully trust the code and owner. Prefer passing a transient key via flag or using a dedicated ephemeral account with minimal funds and no other privileges.
- Verify the ERCDATA_CONTRACT address (default is included in files) against an authoritative source; test on a non-mainnet environment first.
- Review the bundled script (scripts/ercdata-cli.py) yourself or run it in an isolated environment. The script will sign and broadcast transactions using the provided key — a compromised key could be used to spend funds or perform on-chain actions.
- Ensure Python dependencies (web3, eth-account) are installed in an isolated venv; the package lacks an install spec.
- Confirm you have the appropriate roles (PROVIDER_ROLE/VERIFIER_ROLE) on the contract before attempting writes.
If you cannot verify the contract address and code provenance, treat this packaging mismatch as a red flag and do not supply any valuable private keys.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7nfmznxp2ycv3vqptcmczd809p60
License
MIT-0
Free to use, modify, and redistribute. No attribution required.