ERC-800Claw
WarnAudited by ClawScan on May 18, 2026.
Overview
This appears to be a coherent ERC-8004 integration, but it asks for an Ethereum private key and can make default-mainnet on-chain writes, so it needs careful review before use.
Install only if you understand that this can use an Ethereum private key to create public on-chain records. Verify the npm/pip package first, use a dedicated low-value wallet, start on Sepolia/testnet, and require explicit confirmation before any mainnet registration or feedback transaction.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A private key can control an Ethereum account and authorize irreversible transactions; exposing it to an unreviewed package or agent workflow can put wallet assets and account reputation at risk.
The skill uses a raw Ethereum private key for write operations, while the metadata does not declare that credential requirement.
SKILL.md: "Run `erc-800claw register --name \"Name\"` (requires PRIVATE_KEY env var)" and "client.giveFeedback(process.env.PRIVATE_KEY, agentId, ...)"; metadata: "Required env vars: none" / "Primary credential: none"
Use only a dedicated low-value wallet, prefer testnet first, avoid providing a main wallet private key, and require the skill metadata to clearly declare and scope PRIVATE_KEY use.
The agent could create public, persistent on-chain registrations or feedback on mainnet, potentially costing gas and affecting reputations.
The documented workflow can run blockchain write commands, and the default network is mainnet, without documented safeguards such as explicit confirmation of transaction details.
"`--network, -n <name>` - Network to use (mainnet, sepolia). Default: mainnet" and "Register my agent" | "Run `erc-800claw register --name \"Name\"`"
Confirm network, recipient/agent ID, rating, metadata, and fees before any write; default to Sepolia or another testnet for setup and require user approval before mainnet transactions.
Users must trust the package registry contents and package provenance, especially because the package may receive a wallet private key for write operations.
The skill relies on external package-manager installs, and no package code is included in the reviewed artifacts.
"npm install erc-800claw" and "pip install erc-800claw"
Verify the package source, repository, version, and maintainers before installing, and consider pinning versions or reviewing package code before use.