Is 0xm1kr/doppel-erc-8004 safe?

https://github.com/openclaw/skills/tree/main/skills/0xm1kr/doppel-erc-8004

85
SAFE

This skill is a legitimate guide for registering an AI agent's onchain identity via the ERC-8004 protocol on Base mainnet. It contains no prompt injection, hidden instructions, or malicious code. The primary risks are operational — the skill handles real cryptocurrency private keys and transactions, sends wallet data to the external Doppel hub, and installs the viem npm package, all of which are within its stated purpose but carry inherent financial and security risks.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM Real financial risk from cryptocurrency operations -15

The skill instructs the agent to generate private keys, fund wallets with real ETH, and submit transactions on Base mainnet. These are irreversible operations with real monetary value. If the agent mishandles the private key (e.g., logs it, includes it in an error message, or commits it), funds could be permanently lost or stolen.

MEDIUM Wallet data sent to external Doppel hub -10

The skill instructs the agent to send wallet address and ERC-8004 agent ID to the Doppel hub API (doppel.fun) via authenticated PATCH request. While this is the skill's stated purpose and the hub performs onchain verification, it links the agent's blockchain identity to a centralized third-party service.

MEDIUM npm package installation and blockchain transaction code -15

The skill instructs the agent to install the viem npm package and execute TypeScript code that creates wallet clients, signs transactions, and interacts with smart contracts on Base mainnet. While viem is a reputable library and the code is standard Ethereum interaction, these are non-trivial code execution operations.

LOW Multiple external URL references -5

The skill references several external URLs that the agent is expected to interact with: 8004.org, doppel.fun, relay.link, basescan.org, gateway.thegraph.com, and viem.sh. While these are all legitimate services related to the skill's purpose, they expand the agent's attack surface to multiple external domains.

LOW API key referenced for The Graph Gateway -5

The skill includes a subgraph query URL pattern that requires an API_KEY variable for The Graph Gateway. If the agent sources or generates this key, it represents another credential the agent must manage securely.

LOW Private key exposure risk in multi-skill environments -10

The skill stores the private key in .env. In environments where multiple skills are active, other skills with filesystem access could read AGENT_PRIVATE_KEY from .env and use it for unauthorized transactions or exfiltrate it.

INFO Good security practices documented 0

The skill explicitly includes security warnings about never leaking, losing, or overwriting the private key. It instructs adding .env to .gitignore. These are positive security practices.