8004 Harness For Monad

v1.0.0

Register and manage ERC-8004 Identity NFTs on Monad. Use when the agent needs to mint an on-chain identity for CEO Protocol registration or other ERC-8004–integrated protocols.

⭐ 0· 615·0 current·0 all-time

by@fabriziogianni7

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The scripts and SKILL.md implement ERC-8004 registration flows (register, build card, upload to Pinata, set token URI) that align with the skill description. However, the registry metadata declared 'Required env vars: none' and 'No install spec / instruction-only', while the SKILL.md and included scripts clearly require environment variables (MONAD_RPC_URL, AGENT_PRIVATE_KEY, PINATA_JWT, optional PINATA_GATEWAY) and Node dependencies (pinata, viem). This metadata/inventory mismatch is an incoherence that should be resolved before trusting the package.

ℹ

Instruction Scope

Runtime instructions are narrowly scoped to on-chain registration, building a registration JSON, uploading it to Pinata, setting the on-chain URI, and persisting an identity file. Those actions require network access and a signing key (AGENT_PRIVATE_KEY). The instructions do fetch and parse external data (IPFS via a Pinata gateway) and write an identity file under the workspace; these behaviors are expected for the stated purpose but involve transmitting registration JSON to an external service (Pinata).

Install Mechanism

No install spec is provided even though package.json lists dependencies (pinata, viem) and the SKILL.md references a Docker image path (/opt/erc8004-scripts). The absence of an install step means it's unclear how required Node modules are supplied; that ambiguity increases operational risk (scripts may fail or rely on an environment that has network-capable Node modules installed).

Credentials

The env vars required by the scripts (MONAD_RPC_URL, MONAD_CHAIN_ID, AGENT_PRIVATE_KEY, PINATA_JWT, optional PINATA_GATEWAY) are logically required for minting and uploading, so they are proportionate to the task. However, the top-level skill metadata does not declare them, creating a mismatch. AGENT_PRIVATE_KEY is highly sensitive — supplying a key with broad wallet access has financial risk and must be minimized (use a key with only required funds/permissions or a hardware/ephemeral signing approach).

✓

Persistence & Privilege

The skill does not request always:true, does not modify other skills, and only writes files under the agent workspace (/root/.openclaw/workspace/AGENT_IDENTITY.md or provided paths). Autonomous invocation is allowed (platform default) but not combined with any unusual permanence or system-wide configuration changes.

What to consider before installing

This skill appears to implement the ERC-8004 registration flow correctly, but there are several things to consider before installing or running it: - Metadata mismatch: The skill registry metadata claims no required env vars and 'instruction-only', but the skill includes scripts and does require several environment variables (MONAD_RPC_URL, MONAD_CHAIN_ID, AGENT_PRIVATE_KEY, PINATA_JWT). Treat that discrepancy as a red flag and prefer packages whose manifest accurately lists required secrets and dependencies. - Sensitive credentials: The scripts require AGENT_PRIVATE_KEY (used to sign transactions) and PINATA_JWT (used to upload to Pinata). Only provide a private key with minimal MON balance and permissions (do not use your primary/mainnet key). Consider using an ephemeral or hardware-backed signing mechanism, or using a signing service that keeps keys off the skill runtime. - External uploads: The skill uploads the registration JSON to Pinata (external third-party). That means your registration metadata will be sent to Pinata. If you need privacy, host on your own IPFS node or use a private gateway. - Missing install details: package.json lists Node dependencies (pinata, viem) but no install instructions are present. Ensure you run the scripts in an environment with those dependencies installed and audit how they are installed (avoid blind downloads from unknown URLs). - Code review: The repository code is small and readable; review the scripts (especially common.mjs and full-register.mjs) yourself or have a developer review them to confirm no hidden endpoints or exfiltration. Verify the contract address and ABI are expected for your environment. - Operational safety: Run first on testnet (monad-testnet) with a throwaway wallet and small funds. Confirm the returned agentId, tokenURI, and on-chain ownership before using any key with higher value. If you proceed, insist that the skill author update the metadata to list required env vars and provide an install specification or packaged runtime so you can more confidently assess what will be installed and what credentials are required.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743s66nqc6jqzcmy4xbf9pq58127ga

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

8004 Harness For Monad

License

Comments