Erc8004 Register
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears aligned with ERC-8004 registration, but it needs a full wallet private key or mnemonic and can send real on-chain transactions, which is high-impact and under-declared.
Install only if you are comfortable giving this skill temporary access to a dedicated wallet key and making public blockchain changes. Use a burner or low-balance wallet, verify the contract and chain, run dry-run/validation first where possible, and require manual approval before any transaction-sending command.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is exposed or misused, the wallet could authorize transactions beyond the intended registration task.
The skill asks for a full wallet mnemonic or private key. That grants broad signing authority over the wallet, not just permission to manage one ERC-8004 profile, and the registry metadata does not declare a primary credential or required env vars.
export ERC8004_MNEMONIC="your twelve word mnemonic phrase here" # OR export ERC8004_PRIVATE_KEY="0x..."
Use a dedicated low-balance wallet, avoid pasting a main-wallet mnemonic, and only set the key in a controlled shell/session when you intend to transact.
A mistaken or autonomous invocation could create or modify an on-chain agent record and incur transaction costs.
The tool directly signs and broadcasts blockchain transactions. This is purpose-aligned, but high-impact because it can spend gas and change public on-chain registration data without an artifact-backed confirmation safeguard.
signed = account.sign_transaction(tx)
tx_hash = w3.eth.send_raw_transaction(signed.raw_transaction)Review command arguments carefully, prefer dry-run where available, and require explicit human approval before any register, update, or fix command is run.
Dependency behavior could vary over time or across environments.
The skill relies on unpinned third-party Python packages, while the install spec is absent. This is expected for a Python blockchain CLI, but version/provenance are not fixed by the artifacts.
pip install web3 eth-account
Install in a virtual environment, pin known-good versions, and use trusted package sources.
The skill could continue running periodic checks after the initial task if the cron entry is added.
The skill documents optional scheduled execution for ongoing monitoring. It is disclosed and user-directed, but it creates persistence if the user installs the cron job.
# Cron: check health every hour 0 * * * * cd /path/to/skill && python scripts/register.py self-check >> /var/log/agent-health.log 2>&1
Only add the cron job if you want continuous monitoring, and remove it when no longer needed.