Is aetherstacey/erc8004-discover safe?

https://github.com/openclaw/skills/tree/main/skills/aetherstacey/erc8004-discover

89
SAFE

This skill is a read-only API client for the ERC-8004 blockchain agent registry via agentscan.info. The Python script uses only standard library modules, makes no attempts to access sensitive files, and no canary files were touched. The primary concern is that decode_metadata_uri() follows arbitrary URLs from API responses without validation, creating a minor SSRF-like vector, though no local data would be exfiltrated through this path.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Arbitrary URL following in decode_metadata_uri -10

The decode_metadata_uri() function in discover.py follows HTTP, HTTPS, and IPFS URLs found in the metadata_uri field of API responses without URL validation or allowlisting. If the Agentscan API returns a crafted metadata_uri pointing to an attacker-controlled server, the script would make an HTTP GET request to that server. While no local data is sent beyond standard HTTP headers (User-Agent: ERC8004-Discovery/1.0), this creates a minor SSRF-like vector.

LOW Cross-skill workflow chaining references -5

SKILL.md documents cross-skill workflows that reference erc8004-register and erc8004-reputation skills with explicit command examples. An agent following these instructions would invoke other skills whose security posture is unknown from this audit. The workflows could create implicit trust in related skills.

LOW Cron job and automated execution examples -5

The Heartbeat Integration section provides ready-to-use cron job examples and shell scripts that pipe output to external notification services. This normalizes unattended automated execution patterns that could be risky if the skill or API were later compromised.

LOW World-readable cache files in /tmp -2

The monitor command writes agent state to /tmp/erc8004-monitor-{id}.json. While this only contains public API data (agent name, description, reputation), the /tmp directory is world-readable on most systems, and the predictable filename pattern could be used for information gathering by other processes.

INFO Python script with outbound network access -5

The skill executes a Python script that makes HTTP GET requests to the Agentscan API (agentscan.info). This is expected behavior for the skill's stated purpose. The script uses only Python standard library modules with no dangerous imports.

INFO Clean installation with expected network activity only -5

All observed network activity during installation is attributable to git clone (GitHub), system services (Ubuntu update checks, CUPS), and local DNS. No unexpected connections or process spawning from the skill itself.