ERCData
PassAudited by ClawScan on May 10, 2026.
Overview
ERCData appears purpose-aligned, but it uses a real blockchain private key and writes persistent Base mainnet data, so users should treat writes as irreversible and avoid storing secrets unencrypted.
Before installing or using ERCData, use a dedicated funded wallet, confirm the contract and RPC endpoint, manually approve any transaction that writes or changes access, and never store raw secrets on-chain unless they are encrypted first.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong key is used or a command is run unintentionally, the wallet can incur gas costs and mutate contract state.
The skill requires a raw wallet private key for write operations, giving the agent authority to sign Base mainnet transactions and spend gas from that wallet.
`ERCDATA_KEY` — Private key for signing transactions (required for writes)
Use a dedicated, minimally funded wallet for this skill, avoid sharing a primary wallet key, and review each write transaction before running it.
Mainnet writes are persistent, may cost gas, and may not be practically reversible.
The documented command set includes mutating blockchain operations, including access-control changes and admin-only registration.
`store`, `grant-access`, `revoke-access`, `register-type`, `snapshot`
Require explicit user approval for write, access-control, snapshot, and admin commands, and confirm the contract address and data before submitting transactions.
Sensitive agent memory or private data could become publicly observable if stored without encryption.
The skill discloses that 'private' mode is not complete secrecy because raw calldata can still reveal the submitted data.
Private entries store the same data on-chain but gate `getData()` access. Note: raw transaction calldata is still visible on-chain explorers. For maximum privacy, encrypt data before storing.
Do not store secrets or raw private memory directly on-chain; store hashes or encrypt data before submission.
Dependency resolution may vary across environments, and users do not get pinned package versions from the artifacts.
The skill relies on external Python packages, but the provided metadata has no install spec or pinned dependency versions.
Python 3.10+ with `web3` and `eth-account` packages (auto-installed by uv)
Install from a trusted Python environment, pin dependency versions where possible, and verify the local script before using a wallet key.