zscore
v1.0.3Register agents on the Zeru ERC-8004 Identity Registry, manage wallets and metadata, and read on-chain state. Use when an agent needs to register on-chain, check fees, read agent info, set metadata, or manage agent wallets on Base Mainnet or Base Sepolia.
⭐ 0· 1.2k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description say it will register agents, manage wallets/metadata and read on‑chain state — the code implements those operations (createAgentURI, registerAgent, setMetadata, getAgent, etc.). Required binaries (node, npx) and the PRIVATE_KEY env var are expected for signing transactions and running the provided TypeScript CLI.
Instruction Scope
SKILL.md instructs running npm install and npx tsx on the included scripts; the CLI reads user-supplied JSON files, signs requests, posts agent registration JSON to agentUriApiBase and agentapi.zpass.ai, and performs on‑chain reads/writes. These behaviors are consistent with the stated purpose, but the skill will transmit the agent registration JSON (and signed authentication headers) to external services, so users should avoid putting secrets in the registration JSON.
Install Mechanism
There is no automatic download-from-arbitrary-URL install step. The package.json lists reasonable npm dependencies (ethers, zod, canonicalize, tsx). The SKILL.md requires the operator to run npm install manually — no untrusted archive downloads or obscure URLs in installation.
Credentials
Only PRIVATE_KEY is required for write operations (with optional RPC_URL and CHAIN_ID overrides). That is proportionate to signing on‑chain transactions, but a PRIVATE_KEY is highly sensitive: supplying it grants the skill the ability to sign transactions and move funds from that account. The SKILL.md and code do not request unrelated secrets or other service API keys.
Persistence & Privilege
The skill is not set to always: true and does not modify other skills or system settings. It runs as a normal, user-invoked CLI and does not request elevated platform persistence.
Scan Findings in Context
[pre-scan] expected: No regex-based injection signals were detected. The lack of findings is unsurprising for well-structured SDK code that performs network calls and signing.
Assessment
This skill appears to do exactly what it claims (register and manage Zeru ERC‑8004 agents). Before installing or enabling it: 1) Understand that you must provide a PRIVATE_KEY environment variable for write actions — that key can sign transactions and move funds, so only use a wallet/key you control and are willing to use for this purpose (consider a separate low‑value key). 2) Registration JSON and signed headers are sent to external endpoints (agenturi.zpass.ai / agentapi.zpass.ai); do not include any secrets or private data in the agent JSON. 3) Review the included scripts locally (they are provided) before running npm install / npx tsx to confirm there are no modifications you’re uncomfortable with. If you need a higher assurance review, ask for a line-by-line audit of the scripts or run them in an isolated environment with a throwaway key.Like a lobster shell, security has layers — review code before you run it.
latestvk979qndrtpt76m6gcfzn1qv5ss80pjym
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npx
EnvPRIVATE_KEY
Primary envPRIVATE_KEY