Cortex Protocol
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims, but it can generate and print a blockchain private key in plain text while creating a public on-chain identity.
Review this before installing or running it. The registration behavior matches the stated purpose, but avoid having the agent generate a wallet unless you are comfortable with the private key appearing in output. Prefer generating or managing the controller wallet in a secure wallet tool, then provide only the public controller address for registration.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who sees the private key could control or impersonate the newly registered agent identity.
The script generates a controller wallet when none is supplied and prints the private key in plain text. That key controls the registered identity and could be captured in terminal output, chat transcripts, logs, or workspace history.
echo " Private Key: $PRIVATE_KEY"
Use an existing wallet or generate keys outside the agent in a secure wallet tool. Do not let the agent print or store private keys in conversation, logs, or shared workspaces.
Your agent name, controller address, and metadata URI may become associated with a public blockchain identity.
The skill sends agent identity information to an external API that performs a gasless on-chain registration. This is disclosed and central to the skill, but it is still a public account-affecting action.
curl -X POST https://cortexprotocol.co/api/register ... "name": "YourAgentName", "controller": "0xYOUR_ETH_ADDRESS"
Only register when you intend to create a public on-chain identity, and review the name, controller address, and metadata URI before submitting.
The script may fail or rely on locally installed packages whose source/version the skill does not pin or declare.
The script requires Node.js, the ethers package, jq, and curl, but the metadata declares no required binaries and there is no install spec. This is a packaging/provenance gap rather than hidden execution.
if command -v node &> /dev/null; then ... const { ethers } = require('ethers'); ... CONTROLLER=$(echo "$WALLET_OUTPUT" | jq -r '.address')Install dependencies deliberately from trusted sources, and prefer a pinned/local dependency setup if using the script.
The registered token ID may persist in your workspace and be used in later tasks.
The skill recommends storing identity state in the workspace. This is expected for future reference, but it creates persistent context that later agent tasks may reuse.
Store your token ID in your workspace for future reference
Store only non-secret identity references, and do not store private keys or sensitive wallet material in workspace notes.