AgentConstitution
v1.0.0Interact with AgentConstitution governance contracts on Base Sepolia. Check compliance, read rules, log actions, query governance state.
⭐ 1· 1.6k·1 current·1 all-time
byalexthebuildr@ztsalexey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description, contract addresses, RPC endpoint, and included scripts all align: they are all about reading governance state and logging actions on the Base Sepolia testnet. Nothing in the files claims unrelated access (no cloud creds, no system-level operations).
Instruction Scope
The SKILL.md and provided shell scripts instruct use of the 'cast' CLI and, for logging actions, the agent's private key via --private-key $AGENT_PRIVATE_KEY. However the skill does not declare a required binary or explicitly list AGENT_PRIVATE_KEY in its requirements. The instructions rely on a sensitive secret (private key) and on tools that must be present, which is not surfaced in the metadata.
Install Mechanism
This is instruction-only (no install spec), so nothing is automatically downloaded or written. That's low-risk. However the scripts implicitly require third-party tooling (cast, and optionally node/ethers for examples). The skill does not provide an install mechanism or advise how to obtain those tools.
Credentials
No environment variables or primary credential are declared, yet the SKILL.md demonstrates an operation that requires a private key ($AGENT_PRIVATE_KEY) for sending transactions. That sensitive credential is not listed in requires.env. Requesting a private key to sign transactions is reasonable for on-chain interactions, but it must be explicitly declared and justified — omission is a proportion/visibility problem.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false), does not modify other skills or global agent settings, and is testnet-only. It does not attempt to persist credentials or alter agent configuration in the provided files.
What to consider before installing
This skill appears to do what it claims (query governance contracts and optionally log actions on Base Sepolia), but before installing or using it:
- Be aware the scripts expect the 'cast' CLI (Foundry) and examples use ethers.js/node; the skill metadata does not declare these binaries — install them from official sources if you plan to run scripts.
- The SKILL.md shows using --private-key $AGENT_PRIVATE_KEY to send logAction transactions. The skill metadata does NOT declare this environment variable. Do NOT put your real/mainnet private key into an environment variable for this skill. If you must send transactions, use a testnet-only key with minimal funds and rotate it afterward.
- Verify contract addresses and the RPC endpoint independently (e.g., BaseScan) and confirm the linked GitHub repo is the expected project before trusting the scripts.
- Because this is instruction-only, nothing will be installed automatically — you (or the agent runtime) will run commands that can sign and send transactions. Only provide signing credentials when you fully trust the code and the network.
If the publisher can clarify and update the skill metadata to: (a) declare required binaries (cast, node), (b) explicitly list AGENT_PRIVATE_KEY (or alternative signing method) in requires.env, and (c) add warnings about testnet-only and private-key handling, the remaining concerns would be resolved.Like a lobster shell, security has layers — review code before you run it.
aivk97bhy74j5mtehdwxv8h6yd9h980kx97basevk97bhy74j5mtehdwxv8h6yd9h980kx97governancevk97bhy74j5mtehdwxv8h6yd9h980kx97latestvk97bhy74j5mtehdwxv8h6yd9h980kx97safetyvk97bhy74j5mtehdwxv8h6yd9h980kx97usdcvk97bhy74j5mtehdwxv8h6yd9h980kx97
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚖️ Clawdis