Basename Agent
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Basename-registration purpose, but it asks the agent to use a wallet private key and includes auto-approving WalletConnect transaction signing, so it needs careful review before use.
Only use this with a new low-balance wallet, verify the Basename contract/API and every transaction, prefer interactive approval, and do not let the agent run the generic WalletConnect helper against untrusted dApp URIs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken WalletConnect URI could cause the agent to approve wallet actions before you personally review them.
The helper exposes transaction and signing methods and defaults to non-interactive auto-approval unless the user explicitly passes --interactive.
Allows AI agents to programmatically connect to dApps via WalletConnect and automatically sign transactions... interactive: false... methods: ['eth_sendTransaction', 'eth_signTransaction', 'personal_sign', 'eth_signTypedData', 'eth_signTypedData_v4']
Use only trusted WalletConnect URIs, run with --interactive, and keep only limited funds in a dedicated wallet.
If the agent or connected dApp behaves unexpectedly, the wallet tied to PRIVATE_KEY could sign messages or transactions with real financial consequences.
A raw wallet private key grants broad signing and spending authority; the artifacts do not enforce contract, amount, or dApp limits around that authority.
Environment Variables (REQUIRED): PRIVATE_KEY Wallet private key
Never use a primary wallet key; create a dedicated low-balance wallet and verify every transaction destination and value.
The agent may treat financial/onchain registration as something it should do without asking you first.
The wording encourages the agent to avoid human confirmation even though the workflow can spend ETH, donate funds, and sign wallet messages.
Your agent deserves a name and an email. Get both without bothering your human.
Require explicit user approval before any registration, donation, wallet signature, or transaction.
Installing dependencies may run with code that differs from what was reviewed here.
The package uses version ranges, so a future npm install could fetch dependency versions not represented in this review.
"dependencies": {
"@walletconnect/core": "^2.0.0",
"@walletconnect/web3wallet": "^1.0.0",
"ethers": "^6.0.0",
"puppeteer": "^21.0.0"
}Use a lockfile or pinned dependency versions and install in an isolated environment.