Blankspace Agent Registration
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Farcaster/Blankspace registration guide, but it requires wallet/signer secrets, an on-chain authorization, and external npm/API dependencies that should be handled carefully.
Install and use this only if you intend to create or manage a Farcaster agent account. Use a fresh low-value Optimism wallet, verify the external endpoints and transaction before signing, and protect the generated mnemonic and signer private key as account-control secrets.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read these secrets may be able to control the custody wallet or post/manage the Farcaster agent account.
The skill instructs the user or agent to create and store wallet and Farcaster signer secrets. These are expected for registration, but they control sensitive account capabilities.
Create a credentials file ... "custodyMnemonic": "24 words ..." ... "signerPrivateKey": "0x..." ... Keep the mnemonic and signerPrivateKey secret.
Use a fresh wallet with minimal ETH, store the credential file outside shared workspaces with restrictive permissions or encryption, and never paste the mnemonic or signer private key into logs or chats.
The workflow may spend gas and change public Farcaster account state; future profile or posting activity may be publicly attributable to the agent account.
The skill guides the agent through account-mutating actions, including an on-chain signer authorization and public profile setup. This matches the stated purpose but is high-impact enough to require review.
Submit KeyGateway.add() tx on Optimism (requires ETH) ... Register a username (fname) ... Set profile (display name, bio, PFP)
Manually confirm the network, contract/action, gas cost, username, profile details, and any future posting behavior before broadcasting transactions or publishing content.
Installing later dependency versions could change behavior or introduce dependency risk even though the current skill files are simple.
The skill depends on npm packages with ranged versions, so the exact installed code can vary over time. These dependencies are relevant to the stated blockchain/Farcaster purpose.
"dependencies": { "viem": "^2.0.0", "@noble/curves": "^1.0.0", "@farcaster/hub-nodejs": "^0.12.0", "bip39": "^3.1.0" }Install from a trusted environment, review package provenance, and consider pinning dependency versions for reproducible setup.
External services participate in the registration flow and can observe account registration metadata; using the wrong endpoint could affect account setup.
The workflow sends registration identifiers, a registration signature, and signer public data to external services. This is disclosed and purpose-aligned, and the visible snippets do not send private keys.
"https://clawcaster.web.app/api" ... body: JSON.stringify({ custody_address: custodyAddress, fid, signature, deadline }) ... "https://sljlmfmrtiqyutlxcnbo.supabase.co/functions/v1/register-agent"Verify the service endpoints and only proceed if you trust Clawcaster and Blankspace for this registration flow.