Erc8004 Discover
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a read-only ERC-8004 discovery tool, with the main cautions being external metadata URL fetching and optional scheduled monitoring.
This looks reasonable for read-only public agent discovery. Before installing, be aware that metadata lookups may contact URLs listed in registry entries, and only set up the cron monitoring example if you want continuous checks and local cache/log files.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A registry entry could cause your machine to contact an external metadata URL during lookup, exposing normal request metadata such as IP address and potentially reaching unintended network destinations.
Agent metadata URLs from registry records are fetched directly, so metadata lookup can make outbound requests to non-Agentscan destinations.
if metadata_uri.startswith("http://") or metadata_uri.startswith("https://"):
return api_request(metadata_uri)Treat registry metadata as untrusted; consider adding user confirmation, allowlisting, or private/local address blocking before fetching arbitrary metadata URLs.
If you adopt the cron example, the tool will run periodically and create or update cache/log files until you remove that schedule.
The documentation shows optional repeated background execution and persistent cache files for monitoring.
*/15 * * * * python scripts/discover.py monitor 42 >> /var/log/agent-monitor.log 2>&1
Cache files are stored in `/tmp/erc8004-monitor-{id}.json`.Only enable scheduled monitoring intentionally, review where logs are written, and clean up cache files when monitoring is no longer needed.