NadName Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This .nad registration skill matches its stated blockchain purpose, but it handles wallet-level secrets and includes misleading/mock behavior, so it needs careful review before using real funds.
Do not use a main wallet. If you install this, use a fresh low-balance wallet, pin dependencies, run dry-run first, verify the contract/API independently, and avoid managed-mode wallet creation in an agent session because the script can display or store recovery material.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a main wallet or captured in an agent transcript, the private key or mnemonic could expose funds and allow irreversible blockchain actions.
The registration script can use a wallet private key, read an unencrypted private-key file in managed mode, and print a mnemonic recovery phrase. This is high-impact signing authority over a blockchain wallet and is more sensitive than the metadata declares.
const PLAIN_KEY_FILE = path.join(CONFIG_DIR, 'private-key'); ... if (fs.existsSync(PLAIN_KEY_FILE)) { console.warn('โ ๏ธ Using unencrypted private key ...'); return fs.readFileSync(PLAIN_KEY_FILE, 'utf8').trim(); } ... console.log(`๐ค ${wallet.mnemonic.phrase}`);Use only a new, low-balance wallet; avoid creating or displaying mnemonics through an agent session; remove the plaintext key fallback; and explicitly declare PRIVATE_KEY/keystore handling in metadata.
A user could trust an inaccurate availability result and proceed toward a paid registration or other wallet action based on mock data.
The fallback checker labels simulated results as on-chain availability, while the documentation advertises real API integration and accurate pricing.
// In a full implementation, you'd call the NNS contract here ... // For now, we'll do a basic simulation ... return { available: true, owner: null, source: 'on-chain' };Fail closed when API/contract checks are unavailable, clearly label simulation mode, and implement real contract reads before presenting availability as on-chain.
Running the registration command can spend tokens and permanently affect on-chain ownership/name settings.
The advertised workflow sends a blockchain transaction with MON value and a gas buffer. This is purpose-aligned for registering a name, but it is financially impactful and generally irreversible.
await contract.registerWithSignature(registerData, signature, { value: ethers.parseEther(price), gasLimit: estimatedGas * 2n });Run dry-run first, verify price and gas independently, and require explicit user approval immediately before any transaction.
The provider can learn the name request and wallet address before or during registration.
The registration flow sends the requested name and wallet address to the NAD API. This is expected for the stated integration and does not show private-key transmission.
POST https://api.nad.domains/api/register-request Body: { "name": "myname", "owner": "0x...", "setAsPrimary": true, "referrer": null, "paymentToken": "0x0000000000000000000000000000000000000000" }Use the API only if you trust the Nad Domains service and are comfortable linking the requested name with the wallet address.
A future npm install could resolve to a different ethers version than the author tested.
The skill depends on an npm package with a semver range rather than a pinned lockfile in the provided manifest. This is common, but dependency versions can change over time.
"dependencies": { "ethers": "^6.0.0" }Use a lockfile or pin exact dependency versions before handling wallet keys or sending transactions.