Submit To Agentbeat
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent and transparent for AgentBeat submission, but it involves wallet keys, mainnet blockchain actions, x402 payments, and local credential storage that users should review carefully.
Install only if you want the agent to help create or use an EVM wallet, register on-chain, configure x402 payments, and submit to AgentBeat. Use an external signer where possible, fund the wallet with only the minimum needed, verify every contract/API address and transaction before approving it, pin dependency versions, and never publicly share the private key or voucher unless you explicitly intend to.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the private key is exposed or misused, funds in the wallet and payment authority could be lost.
The skill may use an EVM private key to sign blockchain or x402 actions. It clearly labels plaintext key storage as high risk and requires owner confirmation, making this purpose-aligned but sensitive.
env_vars:\n - name: EVM_PRIVATE_KEY\n required: false\n description: Agent wallet private key... Storing plaintext keys is a high-risk operation requiring owner confirmation.
Prefer an external signer, OS keychain, or encrypted vault; store only minimal funds in the agent wallet; approve plaintext key storage only if you understand the risk.
The agent may spend gas and create or update public, hard-to-reverse blockchain records.
The instructions include signing and submitting real on-chain transactions to register or update an agent identity. This matches the purpose and is gated, but it mutates public blockchain state.
const hash = await client.writeContract({\n address: IDENTITY_REGISTRY,\n ...\n functionName: "register",\n args: [AGENT_URI],\n});Verify the chain, contract address, transaction details, and gas cost before approving any signing action.
Installing unpinned packages can introduce unexpected dependency changes or supply-chain risk.
The skill relies on external npm/pip packages for wallet and x402 functionality. The examples are user-directed and purpose-aligned, but versions are not pinned in the documentation.
npm install @x402/axios @x402/evm @x402/core
Install from trusted package registries, pin versions in your project, and review dependency changes before use.
If this local file is leaked or tampered with, future submissions or claims could use incorrect state or expose sensitive campaign and wallet metadata.
The skill persists operational state such as vouchers, reward decisions, endpoint declarations, and key-handling decisions in a local credentials file reused across steps.
"agentbeat_voucher": "agentbeat_...",\n"keyHandling": {\n "mode": "external-signer",\n "ownerApproved": trueKeep the credentials file private with restrictive permissions, back it up carefully, and re-check reward addresses and vouchers before claims or public sharing.