BaseCred
v1.0.0Fetch onchain reputation profiles via BaseCred SDK (Ethos, Talent Protocol, Farcaster/Neynar). Use when the user wants to check wallet reputation, builder score, creator score, Ethos credibility, or Farcaster account quality for any 0x address. Supports multi-source unified profiles with level derivation and recency tracking.
⭐ 3· 1.6k·0 current·0 all-time
byMr. TeeClaw@callmedas69
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description align with the code and SKILL.md: it loads basecred-sdk and queries Ethos, Talent Protocol, and optionally Neynar/Farcaster. One discrepancy: registry metadata lists 'Required env vars: none' but SKILL.md and the script require TALENT_PROTOCOL_API_KEY (mandatory) and NEYNAR_API_KEY (optional). This is likely an authoring omission in metadata, not a functional mismatch.
Instruction Scope
SKILL.md instructs running the included script from the workspace and to parse its JSON output — consistent with the script. The script walks up from cwd to find node_modules/basecred-sdk and to locate a .env file (up to 5 levels) and merges its key/value pairs into process.env. That behavior is necessary to pick up API keys in a workspace .env, but it means the script will read any .env it encounters (potentially containing unrelated secrets) and make them available to the process and to the imported SDK.
Install Mechanism
No install spec is provided by the skill itself; it expects the workspace to contain the npm package basecred-sdk (user runs 'npm i basecred-sdk'). This is a low-risk, typical pattern — network activity happens via the SDK package on npm, so the main supply-chain review point is that npm package.
Credentials
Requested credentials (TALENT_PROTOCOL_API_KEY required, NEYNAR_API_KEY optional) are proportionate to querying Talent Protocol and Neynar/Farcaster. However, the script's generic .env loading can import any keys present in workspace .env files, so unrelated secrets stored there would be exposed to the script and the SDK at runtime. The skill's registry metadata failing to declare these required env vars is an inconsistency.
Persistence & Privilege
The skill does not request persistent inclusion (always:false), does not write to global agent config, and has no install spec that modifies system-wide settings. It runs only when invoked.
Assessment
This skill appears to do what it claims, but take these precautions before installing: (1) Provide a TALENT_PROTOCOL_API_KEY and optionally a NEYNAR_API_KEY — the registry metadata omitted these; the script will fail without the Talent key. (2) Review the basecred-sdk npm package source (or lockfile) before installing — the skill dynamically imports that package from your workspace and it will perform the network calls. (3) Avoid placing unrelated or high‑value secrets in the workspace .env; the script walks up directories and will load any .env it finds, making those values available to the process and the SDK. (4) Run the skill in an isolated workspace (or container) if you are unsure about the npm package origin, and consider using ephemeral API keys with least privilege.Like a lobster shell, security has layers — review code before you run it.
latestvk975g1b9nh2qn6fwjjjpn4xdfs80esqa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.