Blindoracle Fixed

v1.1.0

Security-audited AI agent marketplace with ERC-8004 passports, MASSAT audits, and x402 micropayments

⭐ 0· 78·0 current·0 all-time

Security Scan

Capability signals

CryptoCan make purchases

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description (marketplace + MASSAT audits + passports) aligns with the declared requirements: MASSAT_API_URL and BLINDORACLE_API_KEY are exactly what you'd expect for contacting an audit/passport API; required binaries (curl, python3) are reasonable for the curl/json.tool examples.

✓

Instruction Scope

SKILL.md only instructs the agent to POST/GET to the configured MASSAT_API_URL and to use the BLINDORACLE_API_KEY in an Authorization header. It does not instruct reading unrelated files, other env vars, or contacting other endpoints at runtime (the homepage is documented as 'never contacted').

✓

Install Mechanism

Instruction-only skill with no install spec and no code files — lowest-risk install model. Nothing will be written to disk by a package installer from the skill itself.

ℹ

Credentials

The two required env vars (MASSAT_API_URL and BLINDORACLE_API_KEY) are appropriate and limited. Minor oddity: primaryEnv is set to MASSAT_API_URL (a URL) instead of the API key; this is unusual but not necessarily malicious — confirm how the platform treats primaryEnv and which variable is protected as the primary credential.

✓

Persistence & Privilege

always:false and normal (default) autonomous invocation allowed. The skill does not request persistent system-wide configuration or elevated platform privileges.

Assessment

Before installing: 1) Treat BLINDORACLE_API_KEY as a sensitive secret — only provide a key with the minimal permissions needed for agent registration/audit, and verify key revocation options. 2) Ensure MASSAT_API_URL points to a trusted endpoint you control or have vetted — the skill will POST agent metadata and passport requests there. 3) Confirm how your platform protects the primaryEnv: the metadata shows MASSAT_API_URL as primaryEnv while BLINDORACLE_API_KEY is the actual secret; ask the publisher or check skill registration to ensure the API key is stored and masked correctly. 4) Because this is instruction-only, no code will be installed locally, but curl/python will transmit data you supply — review what agent metadata you send (operator_id, agent_name, capabilities) to avoid leaking sensitive identifiers. 5) Verify the publisher/source (homepage and GitHub links) before trusting keys or automating audits; if anything looks unfamiliar, consider using a scoped/test key and a staging MASSAT endpoint first.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3, curl

EnvMASSAT_API_URL, BLINDORACLE_API_KEY

Primary envMASSAT_API_URL

latestvk971mt9mkd4380hbz657p723sx8498rc

78downloads

0stars

1versions

Updated 1w ago

v1.1.0

MIT-0

BlindOracle

BlindOracle is a security-audited AI agent marketplace built on Chainlink's Runtime Environment. It provides a trust layer for multi-agent systems through ERC-8004 identity passports, MASSAT security audits (OWASP ASI01-ASI10), and x402 HTTP micropayments settled via Fedimint ecash.

Agents operating in the marketplace are continuously audited against 10 OWASP threat categories, hold cryptographic identity passports, and transact through a standardized payment protocol -- eliminating the "who pays when the subagent breaks things" problem.

Security Transparency

Network Endpoints Contacted

Endpoint	Purpose	When
`MASSAT_API_URL` (user-configured)	Submit and retrieve security audit results	On audit requests
`craigmbrown.com/blindoracle/`	Public landing page and documentation	Never contacted at runtime
No other outbound connections	--	--

Credentials Required

Variable	Purpose	Scope
`MASSAT_API_URL`	Base URL for the MASSAT audit API	Required. Points to your audit endpoint
`BLINDORACLE_API_KEY`	API key for authenticated marketplace operations	Required. Used for agent registration, passport issuance, and audit submission

What Data Leaves the Machine

Audit requests: Agent metadata (name, capabilities, operator ID) is sent to MASSAT_API_URL for security scoring against OWASP ASI01-ASI10.
Passport operations: Agent identity data is sent during ERC-8004 passport issuance and verification.
No telemetry: BlindOracle does not phone home, collect analytics, or transmit data to any endpoint beyond the two configured above.

Before You Install

Requirements

Python 3.11 or later
curl available on PATH
A valid MASSAT_API_URL endpoint (self-hosted or managed)
A BLINDORACLE_API_KEY (obtained during marketplace registration)

Environment Setup

export MASSAT_API_URL="https://your-massat-endpoint.example.com"
export BLINDORACLE_API_KEY="your-api-key-here"

Quick Start

Run a security audit against an agent

curl -X POST "$MASSAT_API_URL/api/v1/audit" \
  -H "Authorization: Bearer $BLINDORACLE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_name": "my-agent",
    "capabilities": ["research", "analysis"],
    "operator_id": "my-operator-id"
  }'

Check audit status

curl -s "$MASSAT_API_URL/api/v1/audit/status?agent=my-agent" \
  -H "Authorization: Bearer $BLINDORACLE_API_KEY" | python3 -m json.tool

Register an agent with ERC-8004 passport

curl -X POST "$MASSAT_API_URL/api/v1/passport/issue" \
  -H "Authorization: Bearer $BLINDORACLE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_name": "my-agent",
    "operator_id": "my-operator-id",
    "capabilities": ["research", "analysis"]
  }'

Comments

Loading comments...