Skillv1.0.2

ClawScan security

Agentcast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 9:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (Farcaster + ERC‑8004 registration) but the package metadata omits required environment variables and the scripts default to routing signed messages through the AgentCast proxy, which requires trusting an external service — these inconsistencies warrant caution.
Guidance: This skill appears to implement exactly what it claims (registering a Farcaster username/profile and an ERC‑8004 identity), but there are a few things to consider before using it: - Metadata mismatch: the registry entry claims no required env vars, but the scripts require PRIVATE_KEY (Ethereum custody key) and SIGNER_KEY (Farcaster Ed25519 signer). Expect to provide those when running the scripts locally. - Trust the AgentCast proxy: by default the scripts post signed messages and signatures to https://ac.800.works endpoints to bypass payment steps. The scripts do not send your raw private keys, but they do send signed artifacts — you must trust AgentCast not to misuse or replay them. If you prefer not to rely on the proxy, supply your own NEYNAR_API_KEY or run against the upstream endpoints described in the scripts. - Minimize exposure: run these scripts locally on a machine you control. Preferably use an ephemeral or low-value wallet for initial testing (so you don’t risk major funds if keys are exposed). Never paste private keys into chat or other logging channels. - Ask the maintainer to update registry metadata: the skill should declare required env vars (PRIVATE_KEY, SIGNER_KEY, optional NEYNAR_API_KEY) so installers are not surprised. If you need higher assurance, request the maintainer to provide an independent audit of the proxy endpoints or run the flows against the upstream APIs (Neynar/farcaster endpoints) with your own API keys instead of the default proxy.

Review Dimensions

Purpose & Capability: noteName/description (AgentCast: Farcaster + ERC‑8004 on Base) align with the included scripts: register-erc8004, register-fname, set-profile, and verify-wallet-on-farcaster. Operations legitimately require an Ethereum PRIVATE_KEY and an Ed25519 SIGNER_KEY for signing. However, the skill registry metadata declares no required env vars or credentials while the scripts clearly require PRIVATE_KEY and SIGNER_KEY (and optionally NEYNAR_API_KEY). This metadata omission is an inconsistency.
Instruction Scope: concernSKILL.md and the scripts instruct the agent/operator to run local scripts that sign messages with PRIVATE_KEY and SIGNER_KEY and then post signed messages to external endpoints. The scripts default to using AgentCast proxy endpoints (https://ac.800.works/api/...) to submit hub messages and verifications (explicitly advertised as a way to bypass x402 USDC payments). While the scripts do not transmit raw private keys (they send signed messages or signatures), they do send signed message bytes and signature objects to the AgentCast proxy — this requires trusting that service with those signed artifacts. The SKILL.md does not declare required env vars even though the runtime instructions expect them.
Install Mechanism: okNo exotic install mechanism is bundled. This is an instruction-plus-scripts skill; package.json lists standard npm deps (@farcaster/core, viem). There are no downloads from untrusted URLs or archive extraction steps in the manifest.
Credentials: concernThe scripts legitimately need PRIVATE_KEY (Ethereum custody wallet) and SIGNER_KEY (Ed25519 Farcaster signer). Those env vars are proportionate to the tasks (on‑chain registration, EIP‑712 signing, Farcaster hub messages). However, the registry metadata incorrectly lists zero required env vars, which is misleading. Also, the default behavior uses AgentCast proxy endpoints so operators who do not supply a NEYNAR_API_KEY will rely on the maintainers' infrastructure — a trust decision that should be explicit.
Persistence & Privilege: okalways is false; the skill does not request forced inclusion or elevated platform privileges. It does not modify other skills or system-wide settings. It runs as local scripts invoked by the operator.