Agent identity and reputation registration
WarnAudited by ClawScan on May 10, 2026.
Overview
The blockchain registry purpose is coherent, but the artifacts ask users to run an unreviewed npm MCP package that manages funded wallets and can perform public on-chain writes.
Only install this if you trust and have verified the external @quantulabs/8004-mcp package. Start on testnet, use a disposable low-balance wallet, pin the package version, require manual confirmation for every write or mainnet action, and choose your own strong wallet-store password.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the package gives third-party code local execution and potential access to wallet-management workflows that can affect funds.
The documentation requires executing an external npm package, but the provided artifact set has no install spec and no reviewed code. Because that package manages wallets and transactions, the unpinned external runtime is a material provenance risk.
npm install -g @quantulabs/8004-mcp ... npx @quantulabs/8004-mcp
Verify the npm package and maintainer, pin an exact version or integrity hash, review the package source, and test in a sandbox/testnet before funding any wallet.
After unlocking a funded wallet, the connected agent/MCP server could sign or broadcast blockchain transactions that spend gas or create public records.
A single unlock grants access to wallet-backed write operations. The artifacts do not show per-action authorization, spending caps, or containment for funded wallets.
The wallet store encrypts all your wallets with a single master password ... wallet_store_unlock ... // Now all write operations work
Use dedicated low-balance wallets, prefer testnet, keep the store locked when not needed, require manual approval for every write, and never reuse the example password.
Mistaken or autonomous tool use could create irreversible public registrations or feedback and incur transaction fees.
The documented tools can publish IPFS data, mutate on-chain registry state, submit feedback, and switch to mainnet. The artifacts disclose costs but do not demonstrate mandatory review gates before high-impact tool calls.
Register a new agent ... Uploading registration to IPFS... Registering on-chain... Agent registered! ... Switch to mainnet
Use estimateCost and skipSend/dry-run modes first, require explicit user confirmation for mainnet or IPFS/on-chain writes, and restrict the agent to testnet unless real spending is intended.