ERC-800Claw
WarnAudited by ClawScan on May 10, 2026.
Overview
Review recommended: the skill is purpose-aligned, but it can use an Ethereum private key to make public on-chain transactions through external packages that were not included for review.
Install only after verifying the npm/pip package and publisher. Do not use a valuable wallet private key; use a dedicated low-balance key and testnet first. Require the agent to show the exact network, contract, agent ID, action, and estimated gas cost before approving any registration or feedback transaction.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a funded or important wallet key is available, commands run through this skill could sign real blockchain transactions and spend gas or create public records.
This shows the skill expects access to an Ethereum wallet private key for signing transactions. That is high-privilege account authority and is not declared in the provided registry requirements.
"Register my agent" | Run `erc-800claw register --name "Name"` (requires PRIVATE_KEY env var)
Use a dedicated low-balance wallet, prefer testnet first, and require explicit per-transaction approval. The skill should declare PRIVATE_KEY as a credential requirement and clearly scope which network and wallet will be used.
A mistaken or over-eager agent action could submit public mainnet registrations or ratings, incurring fees and changing on-chain reputation records.
The skill documents key-signed write operations, including reputation feedback, and defaults to mainnet. The artifacts do not show a required confirmation or transaction preview before these high-impact actions.
`--network, -n <name>` - Network to use (mainnet, sepolia). Default: mainnet ... `await client.giveFeedback(process.env.PRIVATE_KEY, agentId, { value: 4.5`Before any write, require the user to confirm the network, contract, recipient/agent ID, action details, and estimated cost. Consider defaulting examples to testnet rather than mainnet.
Users must trust an unreviewed external package before giving it access to a wallet private key.
The skill relies on externally installed packages that are not included in the submitted files and are not version-pinned in the setup instructions. Those packages are the runtime that would handle private-key signing.
npm install erc-800claw ... pip install erc-800claw
Verify the package source and publisher, pin versions or hashes, inspect the package before use, and avoid exposing valuable private keys to unreviewed code.
Erroneous ratings or metadata can become part of a public reputation system and may be hard to correct.
Persistent public reputation is central to the skill’s purpose, but incorrect feedback can affect shared reputation state beyond the current chat.
Reputation Registry - Structured feedback scores from clients to agents ... scores accumulate on-chain
Double-check agent IDs, rating values, and metadata before submitting any on-chain reputation or identity transaction.