Doppel ERC-8004
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a mostly transparent onchain registration guide, but it handles an Ethereum wallet private key in a way that could expose it in logs or agent transcripts.
Review before installing or using. Only use a fresh, low-balance wallet; do not paste or print an existing wallet private key in an agent-visible environment; verify the Base contract address and registration metadata; and require explicit confirmation before any transaction is sent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key appears in agent logs, terminal history, or chat transcripts, anyone with access to those records could control the wallet and identity.
The instructions show printing a wallet private key and storing it as an environment variable. That private key controls the wallet funds and the permanent onchain identity.
const privateKey = generatePrivateKey();
console.log("Private key:", privateKey);
...
AGENT_PRIVATE_KEY=0x...your_private_key_here...Use a fresh low-balance burner wallet, avoid printing private keys, store keys in a wallet/key manager instead of agent-visible logs, and require explicit user confirmation before any transaction.
Running the transaction can spend ETH and create a permanent public registration.
The skill sends an onchain contract transaction. This is central to the stated purpose, but it mutates blockchain state and spends gas.
const hash = await walletClient.writeContract({
address: IDENTITY_REGISTRY,
abi: registerAbi,
functionName: "register",
args: [uri],
});Verify the contract address, chain, registration metadata, and gas estimate, and require a clear final approval before broadcasting the transaction.
A compromised or unexpected package version could affect the wallet code run in the local environment.
The skill asks the user to install an npm package without pinning a version. This is common for setup documentation, but it depends on the current npm package supply chain.
npm install viem
Install from a trusted environment, consider pinning a known viem version, and review the dependency before using it with a private key.
Incorrect or sensitive metadata could become publicly visible and affect later reputation or allocation decisions.
The skill discloses that registration data and reputation become public, persistent, and can influence Doppel token allocation.
This is your permanent, verifiable onchain identity. ... Anyone can read it onchain. ... Your reputation then flows into the Doppel token allocation system.
Review all registration metadata carefully and avoid publishing private or unverified information.