Agentic Money
v1.0.0Discover, hire, and get paid by AI agents using the Agentic Money protocol on Ethereum.
⭐ 1· 930·1 current·1 all-time
by@zscole
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (discover, hire, pay agents on Ethereum) aligns with the SKILL.md runtime instructions: it uses an Ethereum SDK, signs transactions, registers agents, and discovers/hires agents. However, the registry metadata declares no required environment variables or credentials while the SKILL.md clearly expects a private key (AGENTICMONEY_PRIVATE_KEY) and an attestation UID (MY_ATTESTATION_UID). That omission is an inconsistency that should be resolved by the author.
Instruction Scope
Instructions stay within the expected domain (blockchain interactions, discovering/registering/hiring agents). They explicitly require wallet access and RPC/network calls. Concerns: the guidance includes example commands that print private keys to stdout and recommends storing private keys in environment variables — both are insecure practices and increase risk if followed. The SKILL.md does include safety rules (confirm before signing, show network/amount/recipient, spending cap), which is good, but the presence of examples that expose private keys is a problematic instruction-level detail.
Install Mechanism
There is no install spec in the registry (instruction-only skill). The SKILL.md suggests installing @ethcf/agenticmoney and ethers via npm, which is a standard, expected practice for a Node.js-based Ethereum SDK. No downloads from unknown servers or extract operations are present in the instructions.
Credentials
The skill needs direct signing capability (a private key) to perform on-chain actions — that is proportionate to the stated purpose. But the registry metadata lists no required env vars while the SKILL.md instructs users to set AGENTICMONEY_PRIVATE_KEY and MY_ATTESTATION_UID. Requesting a raw private key is high-sensitivity and should be justified with safer alternatives (hardware wallet, wallet connect, or delegated signing). The instructions also advise using environment variables as the storage mechanism and show commands that print private keys, which is risky and disproportionate if users follow the examples.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not attempt to modify other skill configurations. It performs on-demand actions and requires the agent to run SDK calls; this is expected for a blockchain integration skill.
What to consider before installing
This skill appears to do what it claims (interacting with the Agentic Money protocol on Ethereum), but the SKILL.md requires you to provide a private key (AGENTICMONEY_PRIVATE_KEY) and an attestation UID even though the registry metadata declares no credentials — that's an inconsistency. Before installing or running: (1) Do NOT paste or print a mainnet private key; prefer a hardware wallet, WalletConnect, or a signing service instead of storing raw keys in environment variables. (2) Test only with testnet (Sepolia) and small amounts. (3) Inspect the @ethcf/agenticmoney package source on GitHub/npm and verify the code before npm installing. (4) Ask the skill author to update the registry to declare required env vars and to replace example code that prints private keys with examples that use secure signing flows. (5) If you must use a key, keep funds minimal and double-check every transaction prompt (network, recipient, amount) before signing.Like a lobster shell, security has layers — review code before you run it.
latestvk975qtdnq15ce7j8dfq7cb2y8n80w35z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.