v1.0.0

Agent Sovereign Stack

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:04 AM.

Analysis

This skill mostly matches its stated blockchain-and-memory purpose, but it can upload sensitive agent/user memory to external decentralized storage and use an ETH private key for on-chain actions.

GuidanceReview this carefully before installing. Use only a disposable test wallet, start on Base Sepolia, verify every contract address, set your own AGENT_ID, and do not upload real SOUL/MEMORY/USER files unless you are comfortable with persistent external storage and the lack of evident encryption/authentication.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/memory_client.py

Upload, retrieve, and manage encrypted agent memories ... Phase 2 will add ChaCha20-Poly1305 encryption. ... "content": base64.b64encode(data_bytes).decode() ... AGENT_ID = "rick-cortex-0"

The helper text suggests encrypted memories while the implementation only base64-encodes content, and it hardcodes an author/default agent identity for uploads.

User impactA user may over-trust the privacy of uploaded memories or accidentally publish their data under the wrong agent identity.

RecommendationCorrect the documentation, implement real encryption before upload, and require an explicit AGENT_ID/address instead of hardcoded defaults.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; Required binaries: none; Required env vars: none; Primary credential: none

The registry metadata does not declare the provenance, binaries, environment variables, or private-key credential that the SKILL.md and scripts rely on.

User impactInstall-time expectations are less transparent than they should be for a blockchain wallet and external-memory integration.

RecommendationDeclare required tools, credentials, network access, and source provenance in metadata before installation.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/onboard.py

subprocess.run(cmd, capture_output=True, text=True, env=env, timeout=30) ... subprocess.run(["forge", "create", str(contract_src) + ":AgentTreasury", ... "--broadcast"], ...)

The script runs local blockchain CLI tools to send transactions and deploy contracts; this is purpose-aligned but important for users to notice.

User impactRunning the onboarding script can execute local commands that interact with a blockchain using the provided key.

RecommendationRun only after reviewing the command arguments, confirming installed CLI provenance, and testing on Sepolia with a disposable wallet.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/onboard.py

"send", registry, "registerAgent()", "--rpc-url", rpc, "--private-key", private_key, "--chain", chain_id

The script directly uses a raw ETH private key to sign and send blockchain transactions for registration and memory updates.

User impactUsing a real wallet key gives the script authority to spend gas and create irreversible on-chain state; the key is also handed to local CLI processes.

RecommendationUse a dedicated test wallet with minimal funds, verify contract addresses and chain settings, and avoid using a primary wallet private key.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

scripts/onboard.py

for fname in ["SOUL.md", "MEMORY.md", "IDENTITY.md", "USER.md"]: ... files[fname] = fpath.read_text() ... f"{MEMORY_STORE_URL}/api/v1/agent/{agent_id}/memory"

The onboarding script reads identity, memory, and user files from the workspace and uploads them to a remote memory endpoint, creating persistent external memory from potentially private context.

User impactPrivate agent or user notes could be published to a remote/decentralized store where deletion, access control, and later reuse are unclear.

RecommendationReview and scrub all files before upload, use only non-sensitive test data unless encryption and deletion controls are clear, and require explicit confirmation for each file sent externally.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

scripts/comms.py

_api("PUT", f"/api/v1/agent/{to_agent}/memory", ...) ... _api("GET", f"/api/v1/agent/{agent_id}/memory/history")

The communication helper can write to another agent's mailbox and read an agent history by ID, with no visible authentication, encryption, or signature verification in the artifact.

User impactMessages may be spoofed, spammed, read by unintended parties, or used to poison an agent's future context if trusted automatically.

RecommendationTreat all mailbox content as untrusted, require sender authentication/signatures, avoid sensitive content, and define clear read/write permissions for agent mailboxes.