8004 Harness For Monad
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its blockchain-identity purpose, but it needs a wallet private key and can make public, irreversible blockchain/IPFS changes that are not declared in the registry metadata.
Install only if you intend to create or manage an ERC-8004 identity on Monad. Use a dedicated low-balance wallet, set credentials manually, confirm every transaction and public Pinata/IPFS upload, and review the generated identity file before using it in later CEO Protocol workflows.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given this key, it can sign the skill's blockchain transactions from that wallet and spend gas or alter the wallet's ERC-8004 identity state.
The scripts require a raw wallet private key to create a signing account. This is expected for on-chain registration, but it is high-impact authority and conflicts with the registry metadata declaring no required env vars or primary credential.
const account = privateKeyToAccount(requiredEnv("AGENT_PRIVATE_KEY"));Use a dedicated low-balance wallet for this skill, do not reuse a main wallet key, and require explicit user confirmation before any transaction is signed. The skill metadata should declare AGENT_PRIVATE_KEY, PINATA_JWT, and RPC configuration.
A mistaken or autonomous invocation could create an on-chain identity, publish the generated card publicly, update its URI, and store that identity for later use.
The preferred one-shot workflow combines on-chain writes, public Pinata/IPFS publishing, and local identity-state persistence. Those actions fit the purpose, but the artifacts do not show a built-in confirmation or review step before irreversible/public changes.
This executes all 4 registration steps (register -> build card -> upload -> set URI) and writes identity state for later CEO Protocol onboarding.
Before running the one-shot command, review the agent name, description, output card, target network, registry address, and expected gas cost; require explicit approval for register and setAgentURI transactions.
Dependency version drift could change behavior if the scripts are installed or rebuilt later.
The helper scripts depend on external npm packages with caret ranges, so future installs may resolve to newer versions. This is common for Node tooling but worth noticing for a wallet-signing workflow.
"dependencies": {
"pinata": "^2.5.1",
"viem": "^2.38.5"
}Use a lockfile or pinned dependency versions when running wallet-signing scripts, and install from a trusted package source.
If the file is wrong, stale, or overwritten, later onboarding or protocol interactions may use the wrong on-chain identity.
The one-shot script writes persistent identity state for later workflows. The stored values are on-chain identity details rather than secrets, but future agent tasks may rely on this file.
const identityFile = args.identityFile ?? "/root/.openclaw/workspace/AGENT_IDENTITY.md";
Review the generated AGENT_IDENTITY.md after registration and keep it scoped to the intended workspace and wallet.