ERC-8128
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent ERC-8128 documentation, but using it may involve installing an external npm CLI and handling Ethereum private keys.
This skill appears benign and purpose-aligned, but treat it as security-sensitive documentation. Before using it, verify the @slicekit/erc8128 packages, avoid raw private keys where possible, use dedicated low-risk signing keys, keep TTLs short, avoid replayable signatures unless needed, and confirm every signed request before sending it to a real API.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a private key is exposed or used with an untrusted tool, the wallet identity and potentially wallet assets could be compromised.
The CLI is documented as accepting Ethereum private keys from files, command-line arguments, or environment variables. This is expected for signing, but those credentials can control valuable wallet identity and must be handled carefully.
`--keyfile <path>` | Raw private key file ... `--private-key <key>` | Raw private key (⚠️ insecure) ... `ETH_PRIVATE_KEY` env var also supported.
Prefer encrypted keystores or hardware wallets where available, avoid passing private keys on the command line, do not store raw keys in shared config, and use only keys intended for this purpose.
Installing or running an unverified package could expose local data or private keys if the package were compromised.
The skill directs users to an external npm CLI package that is not bundled in the artifacts. This is normal for a CLI documentation skill, but users should verify package provenance before using it with wallet keys.
`npm install -g @slicekit/erc8128-cli` ... `npx @slicekit/erc8128-cli curl <url>`
Install from the official package source, consider pinning a known version, review the package before first use, and avoid using high-value keys with newly installed tooling.
A mistaken URL, payload, or replayable signature setting could authenticate an unintended request to a service that trusts the wallet signature.
The CLI can send authenticated signed HTTP requests to user-supplied URLs and can optionally create replayable signatures. This is central to the skill's purpose, but the impact depends on the endpoint and options used.
`erc8128 curl [options] <url>` ... `--replay <mode>` | `non-replayable` | `replayable` ... `--dry-run` | Sign only, don't send
Use dry-run when testing, keep short TTLs, prefer non-replayable request-bound signatures, and confirm the endpoint and request body before sending signed requests.