Pinata ERC-8004
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a high-risk but clearly disclosed crypto/IPFS skill that requires a wallet private key and Pinata token, with explicit warnings and confirmation rules before irreversible actions.
Install only if you are comfortable giving the skill access to a dedicated Ethereum private key and Pinata API token. Use a low-balance wallet, restrict the Pinata token, and never confirm transactions, NFT transfers, uploads, or deletions unless the displayed details are exactly what you intend.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong wallet key is provided or a transaction is confirmed incorrectly, the wallet could spend gas or transfer valuable NFTs/assets.
The skill requires a raw Ethereum private key, which is powerful account authority. The artifact clearly discloses the risk and instructs users to use a dedicated low-value wallet.
PRIVATE_KEY (Ethereum wallet private key) - Used for: Signing blockchain transactions, minting NFTs, transferring assets
Use only a dedicated, low-balance wallet for this skill, never a primary wallet, and verify every transaction before confirming.
A broadly scoped Pinata token could allow unwanted uploads, deletions, or quota usage if misused.
The skill requires a Pinata API credential that can affect hosted IPFS content and storage quota. The artifact discloses this and recommends a dedicated or restricted Pinata account/key.
PINATA_JWT (IPFS API token) - Used for: Uploading/deleting files on Pinata IPFS
Use a dedicated Pinata account or restricted API key limited to the files and operations needed for agent registration.
Confirmed actions may spend gas, mint NFTs, transfer ownership, or delete IPFS files, and some of these actions cannot be undone.
The skill can perform high-impact actions such as blockchain transactions and file deletions, but it explicitly requires user confirmation and full operation details before proceeding.
Before ANY transaction or destructive operation, you MUST: Display complete operation details; Wait for explicit "yes" or "confirm" from user; Never proceed with implied consent
Only confirm after checking the full wallet address, contract, network, token ID, CID, and estimated cost.
Running generated scripts without review could expose or misuse credentials if the generated script deviates from the documented rules.
The workflow involves generated Node.js scripts for blockchain operations. This is aligned with the Viem-based purpose, but generated code that handles private keys should be reviewed carefully.
PRIVATE_KEY is used ONLY as an argument to Viem's privateKeyToAccount() inside generated Node.js scripts
Review generated scripts before running them and ensure credentials are referenced only via environment variables, not written into files or logs.