Chitin Cert
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent, instruction-only integration for issuing and verifying blockchain certificates, but users should treat issuance, API keys, and optional external tooling carefully because certificates are public and persistent.
Install only if you intend to let the agent help with public on-chain certificate workflows. Keep wallet private keys out of the system, protect the ck_ API key, and manually confirm any certificate issuance or batch issuance because records are designed to be permanent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could issue an unwanted or inaccurate certificate under the user's issuer identity.
The skill documents direct API calls that mint certificates. This is core to the purpose, but it is a mutating action that should be user-approved.
curl -X POST https://certs.chitin.id/api/v1/certs ... "Authorization: Bearer ck_abc123..."
Only provide an API key when you intend to issue certificates, and review all certificate details before allowing issuance.
Anyone or any agent with the API key may be able to issue certificates for the issuer address.
The skill requires a bearer API key for issuance, and the artifact explicitly states that the key grants full issuance authority.
"warning": "NEVER share your ck_ API key. It grants full cert issuance power for your issuer address."
Keep the API key private, rotate it if exposed, and avoid storing it in prompts, logs, or shared workspaces.
Incorrect or premature certificates may remain publicly visible and hard to remediate.
The skill emphasizes that issued certificates are permanent and non-transferable, so mistakes can have lasting public effects.
**Permanent** — Arweave storage + Base L2 NFT. Cannot be faked, deleted, or transferred.
Verify recipient addresses, certificate type, evidence links, and wording before issuing, especially for public compliance or audit claims.
Running the optional MCP server would execute code from an external package outside this instruction-only skill review.
The artifact mentions an optional external npm MCP server that is not included in the reviewed code files or install spec.
npx -y chitin-mcp-server
Review the npm package, version, and permissions before running the optional MCP server.