BaseCred
PassAudited by ClawScan on May 10, 2026.
Overview
BaseCred is a coherent wallet-reputation query skill, with the main cautions being its reliance on a user-installed npm SDK and workspace API keys.
This skill appears purpose-aligned for checking wallet reputation. Before installing, make sure you trust the basecred-sdk package, preferably pin its version, and run it from a workspace .env that contains only the required Talent Protocol key and optional Neynar key.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes code from the locally installed basecred-sdk package, so a compromised or unexpected package version could affect results or local runtime behavior.
The workflow depends on installing an external npm SDK without a pinned version. This is central to the skill's stated purpose, but users should trust and preferably pin the dependency.
Package installed in workspace: `npm i basecred-sdk`
Install basecred-sdk from a trusted source, consider pinning a known version, and avoid running the skill in sensitive workspaces until the dependency is reviewed.
The intended provider API keys are used for reputation lookups; if the same .env contains unrelated secrets, they may also become available to the Node process.
The script walks upward to find a .env file and loads its variables into the process before using provider API keys. This is expected for the Talent Protocol and Neynar integrations, but it means workspace credentials are part of the runtime.
const candidate = path.join(dir, '.env'); ... if (!(key in process.env)) process.env[key] = val;
Use a dedicated workspace .env containing only the needed TALENT_PROTOCOL_API_KEY and optional NEYNAR_API_KEY, and avoid running from directories whose parent .env files contain unrelated secrets.