ERC-8004 Identity
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill fits its Avalanche identity purpose, but it needs a raw wallet private key and deploys compiled smart-contract code that users cannot fully verify from the supplied artifacts.
Install only if you are comfortable giving the skill access to a dedicated Avalanche wallet key. Do not use your main wallet, keep only the AVAX needed for deployment, verify the contract source/provenance first, and approve each on-chain action deliberately.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a primary or well-funded wallet key is used, the skill can authorize on-chain transactions and spend gas from that wallet when commands run.
The CLI turns a PRIVATE_KEY environment variable into a signing wallet for Avalanche transactions. This is high-impact wallet authority and is not reflected in the supplied registry metadata's credential/env-var declarations.
const privateKey = process.env.PRIVATE_KEY; ... return new ethers.Wallet(privateKey, provider);
Use a dedicated low-balance wallet, keep the key out of shared agent contexts, declare the credential requirement clearly, and require explicit user approval before any transaction.
A user may deploy opaque or unaudited contract bytecode to mainnet using their wallet, creating persistent on-chain effects and costs.
The package includes compiled smart-contract bytecode with a referenced Solidity source path, but the supplied manifest does not include that source file. The CLI deploys these artifacts, so users cannot fully review contract behavior from the provided source materials.
"sourceName": "contracts/TaskAgent.sol", ... "bytecode": "0x60a034...
Provide the Solidity sources, verified contract hashes, build instructions, and audit/provenance information before users deploy on mainnet.
Running the deploy command can spend AVAX on gas and publish/update public on-chain records.
The deploy flow performs multiple blockchain mutations: identity registration, contract deployment, task-price updates, and metadata writes. This is purpose-aligned and documented, but it is irreversible and fee-bearing.
const tx = await identity["register()"]({ gasLimit: 200000 }); ... const taskAgent = await factory.deploy(...); ... const tx = await taskAgent.setTaskPrice(task.id, targetPrice);Review the config, wallet balance, network, and contract artifacts before running deploy; test with a low-value wallet first.
If the config file is copied from an untrusted source or modified by another party, it could run arbitrary local JavaScript.
The config file is loaded as JavaScript, so code in config/agent.config.js executes when the CLI loads it. This is a common local-config pattern, but it is riskier than parsing data-only JSON.
delete require.cache[require.resolve(configPath)]; return require(configPath);
Only use trusted config files, consider switching to JSON for data-only configuration, and review config changes before running the CLI.