Maiat Trust API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its trust-API purpose, but it encourages automatic outcome and threat reporting to a shared reputation network, which could affect others without clear user approval.
Install only if you are comfortable sending wallet, token, job, and outcome data to Maiat. Before allowing an agent to use it autonomously, require confirmation for outcome or threat reports, and independently review the optional wallet-guard npm package before connecting it to transaction-sending code.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could submit incorrect or unwanted outcome reports tied to a reporter wallet, potentially affecting shared trust scores or reputation records.
The skill directs the agent to make a reputation-affecting POST request after using a trust score, using mandatory wording and without describing user confirmation, validation, or reversal.
After acting on a trust score, **always** report the outcome... POST /api/v1/outcome { jobId, outcome, reporter }Require explicit user approval before submitting outcome reports, validate the job ID and outcome, and document how reports can be corrected or removed.
A mistaken block or report could influence protections or trust decisions for other agents, not just the installing user.
Blocked transaction events are described as being reported to a shared network and then propagated to other protected agents, but the artifact does not describe containment, review, or false-positive handling.
Threat Reporting — blocked attacks are reported to the network... Collective Immunity — all Guard-protected agents get instant protection
Make threat reporting opt-in or approval-gated, explain what data is reported, and provide a false-positive correction process.
If the optional wallet guard is used, the user's agent depends on external package code that this review did not inspect.
The skill recommends installing an external npm package for wallet protection, but that package's code and lockfile are not part of the reviewed artifact set.
npm install @jhinresh/viem-guard viem
Verify the npm package source, version, and permissions before installing; prefer pinned versions and review the package before using it with a wallet.
Using the skill may associate a wallet address with an agent name and Maiat identity.
Passport registration links an agent identity to a wallet address and creates an on-chain identity; this is aligned with the skill purpose but is identity-sensitive.
`walletAddress` | ✅ | Valid 0x address ... ERC-8004 Identity — on-chain agent registration on Base Mainnet
Use only a wallet address you are comfortable linking to the agent identity, and do not provide private keys or signing credentials.
Future agent sessions may reuse the stored wallet-linked identity automatically.
The skill recommends persisting the agent's ENS name and wallet address for later reuse; this is not a secret, but it creates persistent agent context.
Recommended: Save your passport to memory or config
Store only the minimum identity details needed, keep them in a user-controlled config location, and allow the user to update or remove them.