openclaw 网盘下载
OpenClaw

技能详情(站内镜像,无评论)

首页 > 技能库 > Agent Security Auditor

Audits ERC-8004 agents by analyzing metadata, endpoints, payment configs, and reputation to identify security risks and generate detailed reports.

开发与 DevOps

许可证:MIT-0

MIT-0 ·免费使用、修改和重新分发。无需归因。

版本:v1.0.0

统计:⭐ 0 · 429 · 2 current installs · 2 all-time installs

0

安装量(当前) 2

🛡 VirusTotal :良性 · OpenClaw :良性

Package:aviclaw/agent-security-auditor

安全扫描(ClawHub)

  • VirusTotal :良性
  • OpenClaw :良性

OpenClaw 评估

The skill is internally consistent with its stated purpose (auditing ERC-8004 agents) and does not request unrelated credentials or system privileges, but it performs network requests (including fetching arbitrary agent URIs) and defaults to a third‑party RPC endpoint, so run it carefully and review code before use.

目的

Name/description (ERC-8004 agent auditor) matches the included files and runtime behavior: a Node.js audit script that queries an on‑chain identity registry, fetches off‑chain registration files, inspects endpoints, and reports findings. The declared dependency (ethers) is appropriate for Ethereum RPC interaction.

说明范围

SKILL.md instructs the agent/user to run scripts/audit.js which performs RPC queries and fetches off‑chain metadata/endpoints. This is within the auditor's purpose, but the script will fetch arbitrary URIs taken from agent registrations (and likely probe service endpoints). That can cause outbound requests to attacker‑controlled or internal/private addresses (SSRF/network scanning risks). The instructions do not explicitly warn about running i…

安装机制

There is no install spec (instruction-only behavior), minimizing on‑disk installation risk. The package.json lists a single dependency (ethers) which is reasonable and traceable on npm. No remote archive downloads or executable installers are used.

证书

The skill requests no environment variables, credentials, or config paths. The only implicit external resource is a blockchain RPC endpoint (default: https://eth.llamarpc.com) and network access for fetch calls — these are expected for the stated functionality, but the default RPC is a third‑party service that may log queries and could affect privacy.

持久

always is false; the skill does not request persistent privileges or modify other skills. It runs as an on‑demand script and does not require enabling itself globally.

综合结论

This skill appears to be what it says (an ERC-8004 agent auditor), but before running it: 1) Review the full scripts/audit.js file yourself (or in a sandbox) to confirm no unexpected behavior. 2) Run the script in an isolated environment (container, VM) if you are concerned about it making network calls to internal/private addresses — the auditor will fetch arbitrary agent URIs and may probe endpoints. 3) Override the default RPC with your pre…

安装(复制给龙虾 AI)

将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。

请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Agent Security Auditor」。简介:Audits ERC-8004 agents by analyzing metadata, endpoints, payment configs, and r…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/aviclaw/agent-security-auditor/SKILL.md
(来源:yingzhi8.cn 技能库)

SKILL.md

打开原始 SKILL.md(GitHub raw)

# Agent Security Auditor

Scans ERC-8004 agents for security vulnerabilities and generates comprehensive security reports.

## Overview

This skill audits ERC-8004 Trustless Agents by querying the Identity Registry and analyzing agent metadata for common security issues. It helps identify potentially malicious or misconfigured agents before interacting with them.

## Features

- **Identity Registry Query**: Fetches agent metadata from the ERC-8004 Identity Registry
- **Metadata Validation**: Checks for missing, empty, or suspicious metadata
- **Endpoint Security**: Analyzes service endpoints for red flags
- **x402 Payment Analysis**: Validates payment configuration
- **Reputation Check**: Queries the Reputation Registry for feedback signals
- **Verification Status**: Checks if endpoints are verified via domain control

## Usage

```bash
# Run the audit script directly with Node.js
node scripts/audit.js <agent-address> [options]

# Options:
#   --rpc <url>        RPC endpoint URL (default: https://eth.llamarpc.com)
#   --chain <id>       Chain ID (default: 1)
#   --output <file>    Output file for JSON report
#   --verbose          Enable verbose logging
```

## Example

```bash
# Audit an agent on Ethereum mainnet
node scripts/audit.js 0x742d35Cc6634C0532925a3b844Bc9e7595f8bE21

# Audit with custom RPC
node scripts/audit.js 0x742d35Cc6634C0532925a3b844Bc9e7595f8bE21 --rpc https://mainnet.infura.io/v3/YOUR_KEY

# Save report to file
node scripts/audit.js 0x742d35Cc6634C0532925a3b844Bc9e7595f8bE21 --output report.json
```

## What Gets Scanned

### Critical Issues
- Missing or empty metadata (no name, description)
- No registered services/endpoints
- Invalid or unreachable agent URI
- No agent wallet configured

### High Severity Issues
- Unverified endpoints (no domain control proof)
- Suspicious endpoint patterns (localhost, IP addresses, unusual ports)
- No x402 payment support warning
- No reputation signals

### Medium Severity Issues
- No validation registrations
- Missing supportedTrust indicators
- Inactive agent status

### Info
- Reputation score summary
- Validation count
- Service endpoint count

## Architecture

```
agent-security-auditor/
├── SKILL.md           # This file
├── scripts/
│   └── audit.js       # Main audit logic
└── references/
    └── ERC-8004.md    # ERC-8004 specification reference
```

## Dependencies

- ethers.js ^6.x - Ethereum blockchain interaction
- node-fetch or built-in fetch - HTTP requests for off-chain metadata

## Exit Codes

- `0` - Audit completed successfully
- `1` - Invalid agent address
- `2` - Blockchain connection error
- `3` - Critical error during audit

## Notes

- Requires internet connection for RPC calls and metadata fetching
- Some checks require off-chain metadata fetching which may be slow
- Reputation and validation registries are optional deployments