ChaosChain - Agent Trust & Reputation

This skill appears to do what it claims (read ERC-8004 registries) and installs only Python dependencies, but take these precautions before installing or supplying secrets: - You do not need to provide any env vars to use read-only commands (verify, reputation). Do not set CHAOSCHAIN_PRIVATE_KEY unless you intend to perform the explicit /chaoschain register action. - Do NOT store a mainnet private key in openclaw.json or plaintext config. If you must register, prefer using a dedicated testnet or ephemeral wallet and never reuse a key that controls valuable funds. - Review the full scripts/chaoschain_skill.py before trusting the skill with credentials to confirm the private key is used only for signing register txns and not exfiltrated. Consider running the skill in an isolated environment or sandbox until audited. - If you want to avoid third-party RPC providers, set CHAOSCHAIN_RPC_URL to a provider you control or a trusted RPC to avoid sending queries to the hardcoded public endpoints. - Ask the maintainer to update registry metadata to list optional env vars (CHAOSCHAIN_PRIVATE_KEY, CHAOSCHAIN_ADDRESS, CHAOSCHAIN_RPC_URL) so users see the requirement upfront. If you are comfortable keeping private keys offline or using a throwaway testnet key, the read-only parts are reasonable to use; otherwise treat this skill as requiring manual code review and careful secret handling.