ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ERC-800Claw

v0.1.1

The OpenClaw entry point for ERC-8004 agent identity and reputation. Register agents on-chain, query identities, give and receive feedback ratings.

0· 1.7k·3 current·3 all-time
by@primer-dev
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions (register/look up agents, give feedback on-chain). Requiring either a Node or Python client is explainable because both language bindings are shown. However, the skill metadata declares no required environment variables while the SKILL.md clearly shows the CLI and client code expect a PRIVATE_KEY for signing transactions (registering/giving feedback). The absence of any declared network/provider credential (RPC URL, INFURA_KEY, ALCHEMY_KEY, etc.) is also notable — the skill may rely on defaults or implicit endpoints but that is not documented.
!
Instruction Scope
SKILL.md explicitly instructs the agent to run CLI commands and to use an environment variable PRIVATE_KEY (e.g., PRIVATE_KEY=0x... erc-800claw register). The instructions instruct signing transactions (on-chain register/giveFeedback) which require secret key material. The instructions do not limit or warn how that PRIVATE_KEY should be stored/used, nor do they declare other environment variables the code may access (RPC endpoints, telemetry). There are no instructions that read unrelated local files, but the opaque nature of the external CLI (no code bundled) means its runtime behavior cannot be reviewed from this skill alone.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code files to write to disk. That lowers the immediate installation risk from this skill artifact itself. However, the skill directs installation/usage of an external package (npm/pip package named erc-800claw) which is not included for inspection here — the actual package would need review on its registry/source.
!
Credentials
The SKILL.md requires a PRIVATE_KEY for transaction signing, but the skill metadata lists no required env vars and no primary credential. Requesting a private key is proportional to registering or signing transactions on-chain, but omitting this from requires.env is an inconsistency and a security signal: sensitive credentials are expected but not declared. The skill also does not document any RPC/provider credentials (INFURA/ALCHEMY) which may be necessary; absence of those details reduces transparency about what secrets or endpoints will be used.
Persistence & Privilege
The skill does not request always:true and does not claim any persistent installation behavior. It's user-invocable and allows autonomous invocation (the platform default), which is expected. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
This skill appears to be what it claims (tools for ERC-8004 on-chain identity), but there are important gaps you should address before installing or using it: - PRIVATE KEY: The instructions require a PRIVATE_KEY to register or submit feedback. Treat that key as highly sensitive — do not paste it into chat. Prefer using a signing service, hardware wallet, or an ephemeral key with limited funds/permissions for testing. - Undeclared secrets: The skill metadata does not declare PRIVATE_KEY or any RPC/provider credentials (INFURA/ALCHEMY). Ask the publisher to declare required environment variables and explain where transactions are sent and what RPC endpoints are used. - Uninspected package: This bundle is instruction-only and points to external npm/pip packages (erc-800claw). Review the actual package source (npm/PyPI and linked GitHub repo) before installing to ensure the CLI/client does only what is documented and does not exfiltrate keys or telemetry. - Testing advice: Before using real keys on mainnet, test on a non-production network (sepolia) with an ephemeral key and small funds. Monitor network traffic and containerize/sandbox the CLI if possible. If the publisher can update the skill metadata to declare PRIVATE_KEY (and any provider credentials) and provide a verifiable upstream repository/release for the erc-800claw package, the inconsistencies would be reduced and confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🪪 Clawdis
Any binnode, npx, python3, pip
latestvk973ay0y39e1k34bzga3qw47rd80edcr
1.7kdownloads
0stars
2versions
Updated 8h ago
v0.1.1
MIT-0
@primer-dev
latest
Download

ERC-800Claw

Your entry point into ERC-8004 - the on-chain identity, reputation, and validation standard for autonomous agents.

ERC-8004 is an open protocol enabling verifiable agent identity and reputation on Ethereum. Agents can register identities (ERC-721 NFTs), receive and give reputation feedback, and optionally verify their capabilities through validators. ERC-800Claw, built by Primer, provides simple APIs for interacting with the protocol.

When to Use This Skill

Use ERC-800Claw when:

  • You need to register an agent identity on-chain
  • You need to look up an agent by ID or owner
  • You want to give feedback/ratings to another agent
  • You need to check an agent's reputation
  • The user asks about agent verification or trust

Quick Setup

Node.js

npm install erc-800claw

Python

pip install erc-800claw

How to Respond

User Says/AsksWhat to Do
"Look up agent #123"Run erc-800claw agent 123 to get details
"Does agent 42 exist?"Run erc-800claw exists 42
"How many agents does 0x... own?"Run erc-800claw owner 0x...
"Register my agent"Run erc-800claw register --name "Name" (requires PRIVATE_KEY env var)
"What networks are supported?"Run erc-800claw networks
"Show contract addresses"Run erc-800claw contracts

CLI Commands

CommandDescription
erc-800claw agent <id>Get agent details by ID
erc-800claw exists <id>Check if an agent exists
erc-800claw owner <address>Get agent count for an address
erc-800claw registerRegister a new agent (requires PRIVATE_KEY)
erc-800claw networksList supported networks
erc-800claw contracts [network]Show contract addresses

CLI Options

  • --network, -n <name> - Network to use (mainnet, sepolia). Default: mainnet
  • --json, -j - Output as JSON

Example CLI Output

$ erc-800claw agent 1
Agent #1 (mainnet)
────────────────────────────────────────
Owner:    0x1234...abcd
URI:      data:application/json;base64,...
Name:     My Agent
About:    An autonomous agent for...
Explorer: https://etherscan.io/nft/0x8004.../1

$ erc-800claw exists 100
Agent 100 exists on mainnet

$ erc-800claw owner 0x1234...
Address 0x1234... owns 3 agent(s) on mainnet

$ PRIVATE_KEY=0x... erc-800claw register --name "My Agent" --network sepolia
Agent Registered on sepolia!
────────────────────────────────────────
Agent ID: 42
Owner:    0x1234...abcd
Tx:       0xabc123...
Explorer: https://sepolia.etherscan.io/nft/0x8004.../42

How ERC-8004 Works

ERC-8004 provides three on-chain registries:

  1. Identity Registry (ERC-721) - Every agent gets a unique NFT token with metadata URI
  2. Reputation Registry - Structured feedback scores from clients to agents
  3. Validation Registry - Independent verification (zkML, TEE, stakers)

The flow:

  1. Register - Mint an agent identity NFT with name/description metadata
  2. Operate - Use your agent ID when interacting with other agents
  3. Build Reputation - Clients give feedback, scores accumulate on-chain
  4. Verify (optional) - Validators attest to capabilities

Using in Code

Node.js / TypeScript

const { createClient } = require('erc-800claw');

const client = createClient({ network: 'mainnet' });

// Get agent by ID
const agent = await client.getAgent(1);
console.log(agent);
// {
//   agentId: 1,
//   tokenURI: 'data:application/json;base64,...',
//   owner: '0x...',
//   metadata: { name: 'My Agent', description: '...' },
//   explorerUrl: 'https://etherscan.io/...'
// }

// Check if agent exists
const exists = await client.agentExists(42);

// Get agent count for address
const count = await client.getAgentCount('0x...');

// Register a new agent (no IPFS needed - uses data URI!)
const result = await client.registerAgent(process.env.PRIVATE_KEY, {
  name: 'My Autonomous Agent',
  description: 'Handles customer support',
  services: [{ name: 'support', endpoint: 'https://myagent.com/api' }]
});
console.log(`Registered agent #${result.agentId}`);

// Give feedback to an agent
await client.giveFeedback(process.env.PRIVATE_KEY, agentId, {
  value: 4.5,     // Score out of 5
  decimals: 1,
  tag1: 'support',
  tag2: 'fast'
});

Python

from erc800claw import create_client
import os

client = create_client(network='mainnet')

# Get agent by ID
agent = client.get_agent(1)
print(agent)
# {
#     'agent_id': 1,
#     'token_uri': 'data:application/json;base64,...',
#     'owner': '0x...',
#     'metadata': {'name': 'My Agent', 'description': '...'},
#     'explorer_url': 'https://etherscan.io/...'
# }

# Check if agent exists
exists = client.agent_exists(42)

# Get agent count for address
count = client.get_agent_count('0x...')

# Register a new agent (no IPFS needed - uses data URI!)
result = client.register_agent(
    private_key=os.environ['PRIVATE_KEY'],
    name='My Autonomous Agent',
    description='Handles customer support',
    services=[{'name': 'support', 'endpoint': 'https://myagent.com/api'}]
)
print(f"Registered agent #{result['agent_id']}")

# Give feedback to an agent
client.give_feedback(
    private_key=os.environ['PRIVATE_KEY'],
    agent_id=agent_id,
    value=4.5,        # Score out of 5
    decimals=1,
    tag1='support',
    tag2='fast'
)

Metadata Format

Agent metadata follows a standard schema:

{
  "name": "My Agent",
  "description": "What my agent does",
  "image": "https://example.com/avatar.png",
  "services": [
    {
      "name": "api",
      "endpoint": "https://myagent.com/api",
      "description": "Main API endpoint"
    }
  ],
  "supported_trust": ["reputation", "validation"]
}

The SDK automatically encodes this as a data URI - no IPFS upload required.

Integration with xClaw02

ERC-800Claw works with xClaw02 (x402 payments) to enable paid agent services:

  1. Register your agent identity with ERC-800Claw
  2. Set up payment receiving with xClaw02
  3. Clients verify your identity, pay for services, then rate you

See the xClaw02 skill for payment setup.

Supported Networks

NetworkChain IDStatus
Ethereum Mainnet1Live
Sepolia Testnet11155111Live

Contract Addresses

Mainnet

  • Identity Registry: 0x8004A169FB4a3325136EB29fA0ceB6D2e539a432
  • Reputation Registry: 0x8004BAa17C55a88189AE136b182e5fdA19dE9b63

Sepolia

  • Identity Registry: 0x8004A818BFB912233c491871b3d84c89A494BD9e
  • Reputation Registry: 0x8004B663056A597Dffe9eCcC1965A193B7388713

Environment Variables

VariableFormatDescription
PRIVATE_KEY0x + 64 hex charsWallet private key (required for registration/feedback)
ERC8004_NETWORKmainnet, sepoliaDefault network (default: mainnet)
ERC8004_RPC_URLURLCustom RPC endpoint

Error Handling

ErrorMeaningWhat to Do
Agent not foundNo agent with that IDVerify the agent ID is correct
Agent already existsToken already mintedEach agent ID is unique
Not the ownerCan't modify other's agentsOnly owner can update agent metadata
Invalid addressMalformed Ethereum addressCheck address format (0x + 40 hex chars)

Security Notes

  • Never expose private keys in logs, chat, or output
  • Use environment variables for wallet credentials
  • Agent registration costs gas - have ETH in your wallet
  • Private key format: 0x followed by 64 hexadecimal characters

Links

Comments

Loading comments...