ERC-8004 Identity
v1.0.0Deploy and manage an AI agent's onchain identity, reputation, and task capabilities on Avalanche using the ERC-8004 NFT standard.
⭐ 0· 1.3k·4 current·4 all-time
byGiacomo Barbieri@ijaack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and SKILL.md describe deploying ERC-8004 identity contracts on Avalanche, and the included cli.js, ABIs, and artifacts implement that functionality. However, registry metadata claims no required environment variables while both SKILL.md and cli.js require a PRIVATE_KEY — this metadata omission is inconsistent and should be corrected/clarified.
Instruction Scope
SKILL.md instructs the user to run node cli.js init/deploy/status and to provide a PRIVATE_KEY via .env or macOS keychain. The runtime instructions and files reference only local config paths (config/agent.config.js, .env, deployment.json) and Avalanche RPC addresses — no unrelated system files or external endpoints appear in the instructions.
Install Mechanism
There is no automatic install spec (instruction-only), and the repository includes a normal package.json/package-lock that depends on ethers and dotenv from npm. No arbitrary URL downloads or extract operations are present in the manifest — standard npm dependencies are expected for this task.
Credentials
The CLI requires a PRIVATE_KEY to sign and submit transactions (legitimate for deploying contracts). That is a highly sensitive secret — but the skill registry metadata incorrectly lists no required env vars. The omission increases risk because users may not realize the skill needs a private key. Only one sensitive credential is needed (PRIVATE_KEY), which is proportional to the task, but users should NOT reuse a production wallet or a key with funds they cannot afford to lose.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. The CLI reads/writes files within its own skill directory (config/ and deployment.json) which is normal. The skill will run with the agent's ability to invoke it autonomously (platform default) but nothing in the code tries to modify other skills or global agent settings.
Scan Findings in Context
[base64-block] unexpected: A pre-scan flagged a 'base64-block' pattern in SKILL.md which may indicate a prompt-injection or obfuscation attempt. The visible SKILL.md text in the package does not contain obvious base64 payloads; this may be a false positive or an artifact of packaging. Still, treat this as a warning to inspect SKILL.md and files for hidden/encoded data before trusting the skill.
What to consider before installing
This package appears to implement exactly what it says: a CLI to register/deploy ERC-8004 agent identity contracts on Avalanche. However, the CLI requires a PRIVATE_KEY (stored in .env or read from your keychain) which is needed to sign transactions — the registry metadata incorrectly omitted that requirement. Before installing or running: (1) do NOT use your main wallet private key; create a fresh test wallet with minimal funds (or use a hardware wallet / transaction approval flow if possible); (2) review cli.js and the contract artifacts yourself (they are included) to confirm addresses and behavior; (3) test on Fuji testnet or with a throwaway key to confirm flow and costs; (4) verify deployed contract bytecode/addresses on a block explorer before interacting further; (5) if the 'base64-block' scan finding concerns you, search the files for any encoded or hidden payloads and reject the skill if you find unexpected obfuscated content. If you are not comfortable handling private keys, do not run the deploy commands.Like a lobster shell, security has layers — review code before you run it.
latestvk97f673t9n3xk0qkrc7gz6qgmd80qf72
License
MIT-0
Free to use, modify, and redistribute. No attribution required.