Agent Sovereign Stack
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its claimed on-chain agent setup purpose, but it uses raw wallet authority and uploads local identity/memory files to persistent external storage with unclear safeguards.
Only install or run this if you intentionally want to publish agent memory/identity to decentralized storage and perform blockchain actions. Use a fresh low-balance wallet, start on testnet, inspect the scripts and contract addresses, remove secrets from SOUL.md/MEMORY.md/USER.md, and do not rely on received agent messages unless sender authentication is added.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private agent notes, user context, or secrets in those files could be stored externally and reused or exposed longer than expected.
The onboarding flow reads local identity, memory, and user files and uploads them to a fixed remote memory-store endpoint. Base64 encoding is not encryption, and this type of decentralized memory may persist outside the local workspace.
MEMORY_STORE_URL = "http://[2a05:a00:2::10:11]:8081" ... "content": base64.b64encode(data).decode() ... for fname in ["SOUL.md", "MEMORY.md", "IDENTITY.md", "USER.md"] ... upload_to_memory_store(agent_id, fname, data, file_type)
Review every file before upload, remove secrets, require explicit per-file confirmation, and use real client-side encryption plus a clear retention/deletion policy.
A wallet private key can control funds and identity. Transactions can spend gas, create persistent on-chain state, and may be irreversible.
The script takes a raw ETH private key and uses it to sign on-chain transactions and contract deployments through local CLI tools.
run_cast(["send", registry, "registerAgent()", "--rpc-url", rpc, "--private-key", private_key, "--chain", chain_id], private_key) ... "forge", "create" ... "--private-key", private_key, "--broadcast"
Use only a fresh, low-balance test wallet unless you have audited the full flow and contracts. Prefer wallet-based signing prompts over pasting raw private keys.
Other agents could receive spoofed or untrusted messages and might treat them as legitimate context if not carefully verified.
The communications client can write messages into another agent ID's mailbox on the shared memory store. The supplied code shows a content hash, but no authenticated sender signature or access-control check.
# Also post to RECIPIENT's inbox ... _api("PUT", f"/api/v1/agent/{to_agent}/memory", { ... "type": f"inbox:{msg_type}" ... })Treat all mailbox contents as untrusted. Add authenticated signatures, sender verification, authorization checks, and avoid automatic action on received messages.
If this client is used, a user's memory files may be uploaded or labeled under an unrelated agent identity, causing confusion or unintended disclosure.
The skill is presented as giving any user 'your agent identity,' but this memory client hardcodes the author's/default agent ID rather than requiring the user's ID.
AGENT_ID = "rick-cortex-0" # Token #0
Make AGENT_ID a required explicit setting, fail closed when it is missing, and remove author-specific defaults from user-facing upload tools.
Users and review tools may not realize before installation that the skill needs wallet-signing authority and external command-line blockchain tools.
The registry metadata under-declares the skill's real security-critical requirements; SKILL.md and scripts require an ETH private key and blockchain tooling such as cast/forge/curl.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Declare all required credentials, environment variables, binaries, network endpoints, and contract sources in metadata before publishing.