ClawHub
Back to skill
v1.0.0

ERCData

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

The skill matches its blockchain storage purpose, but it gives the agent wallet-signing authority for Base mainnet transactions and should be reviewed carefully before use.

GuidanceReview this skill before installing. If you use it, provide only a dedicated low-balance wallet key with the minimum required roles, verify the contract address and RPC endpoint, approve each transaction explicitly, and never store raw secrets or private memory on-chain without encryption.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
`store` | Store data on-chain ... `grant-access` | Grant read access ... `revoke-access` | Revoke read access ... `register-type` | Register a new data type (admin only) ... `snapshot` | Create a point-in-time snapshot

The documented commands include state-changing blockchain and access-control operations. They are aligned with the skill's purpose, but they can have persistent and potentially costly effects.

User impactA mistaken or overly broad agent action could publish data, change access to private entries, or create permanent on-chain records.
RecommendationTreat every write, grant, revoke, register, verify, or snapshot action as requiring clear user intent and transaction review.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
SKILL.md
Python 3.10+ with `web3` and `eth-account` packages (auto-installed by uv)

The skill relies on runtime Python packages for blockchain signing and RPC access, but the provided artifacts do not show pinned dependency versions or an install spec.

User impactDependency changes or installing from an untrusted environment could matter more here because the tool handles wallet-signing operations.
RecommendationInstall dependencies from trusted package sources, consider pinning versions, and verify the script and contract address before providing a wallet key.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
scripts/ercdata-cli.py
account = Account.from_key(key)
w3.middleware_onion.inject(SignAndSendRawMiddlewareBuilder.build(account), layer=0)
...
tx_hash = fn(args.type, data_bytes, meta_bytes, sig).transact()

The script turns a supplied private key into a signing account and sends contract transactions. This is high-impact wallet authority, especially because the registry metadata says there is no primary credential or required environment variable.

User impactIf the agent is given a real funded wallet key, it can submit Base mainnet transactions, spend gas, and make persistent contract changes through this CLI.
RecommendationUse only a dedicated low-balance wallet with the minimum required contract roles, avoid main wallet keys, and require explicit human approval for each transaction.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
Private entries store the same data on-chain but gate `getData()` access. Note: raw transaction calldata is still visible on-chain explorers. For maximum privacy, encrypt data before storing.

The skill stores AI data or memory-related content in a persistent on-chain system. Its own privacy note correctly warns that private mode does not hide raw transaction calldata.

User impactSensitive agent memory, prompts, metadata, or private data could become permanently visible if stored unencrypted.
RecommendationStore hashes or encrypted payloads rather than raw secrets, prompts, or private memory, and assume blockchain calldata may be public forever.