ERC-8128

v1.0.0

Sign and verify HTTP requests with Ethereum wallets using ERC-8128. Use when building authenticated APIs that need wallet-based auth, making signed requests...

⭐ 2· 507·0 current·0 all-time

byjacopo@jacopo-eth

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (ERC-8128 HTTP signatures) match the contents: examples for signing and verifying, a verifier nonce-store, Express middleware, and a CLI are all appropriate for building wallet-based HTTP auth.

✓

Instruction Scope

SKILL.md and references/cli.md limit actions to signing/verifying requests and reading key material (keystore, keyfile, or ETH_PRIVATE_KEY). There are no instructions to read unrelated system files or exfiltrate data. Use of NonceStore and Redis is scoped to replay protection and is relevant.

ℹ

Install Mechanism

This is an instruction-only skill with no install spec. The docs point users to install npm packages (e.g., @slicekit/erc8128-cli) via npm/npx — expected for a JS CLI but means installing external code from registries if you follow the docs. Because no package source/homepage is provided in the skill metadata, you cannot verify the referenced packages from this skill bundle alone.

ℹ

Credentials

The skill declares no required environment variables, but the docs mention using ETH_PRIVATE_KEY and support keyfile/keystore/password/--private-key options. Those env/file accesses are normal for a signing tool, but the metadata/instructions mismatch (no declared required env in metadata) is worth noting. The number and type of secrets referenced are proportionate to the task, but handling private keys on the CLI or as raw env vars is intrinsically risky and the docs themselves warn about it.

✓

Persistence & Privilege

Skill is not always-enabled, does not request persistent system-wide privileges, and is instruction-only (no code written by the skill). It does not ask to modify other skills or system configs.

Assessment

This skill's content is coherent for building wallet-signed HTTP requests and verification. Before you use it: (1) note that the skill bundle contains only documentation — the actual CLI/library would be installed separately (npm/@slicekit packages); verify the package publisher and inspect the package code before installing. (2) Avoid passing raw private keys on command lines or in scripts; prefer encrypted keystores, hardware wallets, or process-limited environment injection. (3) If you plan to run the CLI, prefer installing from an official, verifiable source and check package integrity (verify author, version, and package contents). (4) If you need higher assurance, ask the publisher/source for a repository or checksum and request a homepage or canonical source URL — absence of a homepage in the skill metadata reduces confidence in auditing the referenced packages.

Like a lobster shell, security has layers — review code before you run it.

latestvk974h3rw3vejj9z9n728wf559581b68f

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

ERC-8128

License

Comments