GhostScore
v1.0.3Private reputation scoring for AI agents — query on-chain credit tiers earned via x402 micropayments through Unlink shielded transfers on Monad, and verify t...
⭐ 0· 254·0 current·0 all-time
by@drewm33
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required env vars (MONAD_RPC_URL and GHOSTSCORE_API_KEY), and the declared network permissions align with a read-only reputation/attestation verifier for an on-chain protocol. Nothing requested is obviously unrelated to the stated purpose.
Instruction Scope
Instructions are mostly scoped to read-only RPC queries and calling the GhostScore API. However, verification steps are underspecified: the SKILL.md instructs using ethers.verifyMessage() to check signatures but does not describe how to validate zero-knowledge proofs or where to reliably obtain the GhostScore server's canonical public address. The file is also truncated near the end, leaving some rules incomplete. These gaps could cause incorrect verification if not clarified.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk installation surface. Nothing is downloaded or written to disk by the skill itself.
Credentials
Only two required env vars (RPC URL and API key) are declared; both are justifiable for read-only contract queries and backend API calls. The skill explicitly states it does not request private keys or signing material.
Persistence & Privilege
Registry-level flags indicate default model invocation is allowed, but the SKILL.md includes 'autonomous: false' (disallowing autonomous operation). This metadata mismatch should be clarified. The skill does not request 'always' presence or elevated system privileges.
Assessment
This skill appears to do what it says (read-only reputation queries and attestation checks) and only asks for a chain RPC URL and an API key. Before installing: 1) Confirm which field or API provides the GhostScore server's canonical public signing address (needed to validate attestations) and whether the skill also validates the underlying ZK proof (not just a signature). 2) Verify the GhostScore API hostname and dashboard are legitimate (onrender.com is a hosting service) and that the API key issuance process is trustworthy. 3) Test with non-sensitive data first (do not supply wallet keys, seed phrases, or private addresses). 4) Ask the publisher to resolve the metadata mismatch (SKILL.md autonomous:false vs. registry defaults) and to provide complete, untruncated verification steps in SKILL.md. If those clarifications are provided, the skill is coherent; without them the verification behavior may be incomplete or ambiguous.Like a lobster shell, security has layers — review code before you run it.
latestvk977kyxrp867ve6ycn8bhwnvf1823t65
License
MIT-0
Free to use, modify, and redistribute. No attribution required.