Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Base 8004
v1.0.0Register your AI agent onchain with ERC-8004 on Base. Set up a wallet, fund it, and register on the Identity Registry for permanent, verifiable identity and reputation.
⭐ 0· 1.2k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (ERC-8004 registration on Base) align with the instructions: creating a wallet, funding it, and calling the Identity Registry. Recommended dependencies (viem) and the contract address are consistent with this purpose.
Instruction Scope
Instructions ask the user to generate and immediately console.log the private key and to store it in a .env file. Logging the private key is insecure and increases risk of leakage. The instructions also instruct publishing service endpoint URLs in the onchain registration (expected), which will make agent metadata public. The SKILL.md does not appear to overreach by requesting unrelated system files or other credentials, but the explicit console.log advice and unconditional echo to .gitignore are risky practices.
Install Mechanism
There is no install spec in the registry (instruction-only), which reduces automatic-execution risk. The README recommends running `npm install viem` — a normal package install — but no version pinning is provided, which is a mild supply-chain risk if you run the command blindly.
Credentials
The skill metadata declares no required environment variables, yet the runtime instructions instruct creating AGENT_PRIVATE_KEY in a .env and then reading process.env.AGENT_PRIVATE_KEY. This mismatch (undocumented required secret) is an inconsistency. Requesting a private key is proportional to the task, but it must be handled much more carefully than shown.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request any persistent agent-level privileges or config paths. It does not try to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says — register an agent onchain — but take these precautions before following instructions or running any commands: 1) Do NOT print your private key to console or logs. The SKILL.md suggests console.log(privateKey) — avoid that. Generate the key and move it securely (use a hardware wallet or a secure secrets manager if possible). 2) The metadata does not declare AGENT_PRIVATE_KEY even though the instructions use it; treat this as an undocumented required secret. 3) If you run `npm install viem`, consider pinning a known-good version and review the package source before installing. 4) Registration is effectively permanent and public: the NFT, agentURI, and endpoints you publish become public. Only register metadata and endpoints you are comfortable exposing. 5) Fund the wallet with a minimal amount first (as suggested) and verify the Identity Registry contract address independently (do not trust a single document). 6) Prefer using a derived or dedicated key for this agent (so compromise doesn't expose other assets). If you want help making a safer workflow (hardware wallet, secure secret storage, or signed transactions without exposing keys), ask and provide context on your environment.Like a lobster shell, security has layers — review code before you run it.
latestvk979ekps7p2q0p6ynk5xrxz8xx80j263
License
MIT-0
Free to use, modify, and redistribute. No attribution required.