Agent Security Auditor

# Agent Security Auditor

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "Agent Security Auditor" with this command: npx skills add aviclaw/agent-security-auditor

Agent Security Auditor

Scans ERC-8004 agents for security vulnerabilities and generates comprehensive security reports.

Overview

This skill audits ERC-8004 Trustless Agents by querying the Identity Registry and analyzing agent metadata for common security issues. It helps identify potentially malicious or misconfigured agents before interacting with them.

Features

  • Identity Registry Query: Fetches agent metadata from the ERC-8004 Identity Registry
  • Metadata Validation: Checks for missing, empty, or suspicious metadata
  • Endpoint Security: Analyzes service endpoints for red flags
  • x402 Payment Analysis: Validates payment configuration
  • Reputation Check: Queries the Reputation Registry for feedback signals
  • Verification Status: Checks if endpoints are verified via domain control

Usage

# Run the audit script directly with Node.js
node scripts/audit.js <agent-address> [options]

# Options:
#   --rpc <url>        RPC endpoint URL (default: https://eth.llamarpc.com)
#   --chain <id>       Chain ID (default: 1)
#   --output <file>    Output file for JSON report
#   --verbose          Enable verbose logging

Example

# Audit an agent on Ethereum mainnet
node scripts/audit.js 0x742d35Cc6634C0532925a3b844Bc9e7595f8bE21

# Audit with custom RPC
node scripts/audit.js 0x742d35Cc6634C0532925a3b844Bc9e7595f8bE21 --rpc https://mainnet.infura.io/v3/YOUR_KEY

# Save report to file
node scripts/audit.js 0x742d35Cc6634C0532925a3b844Bc9e7595f8bE21 --output report.json

What Gets Scanned

Critical Issues

  • Missing or empty metadata (no name, description)
  • No registered services/endpoints
  • Invalid or unreachable agent URI
  • No agent wallet configured

High Severity Issues

  • Unverified endpoints (no domain control proof)
  • Suspicious endpoint patterns (localhost, IP addresses, unusual ports)
  • No x402 payment support warning
  • No reputation signals

Medium Severity Issues

  • No validation registrations
  • Missing supportedTrust indicators
  • Inactive agent status

Info

  • Reputation score summary
  • Validation count
  • Service endpoint count

Architecture

agent-security-auditor/
├── SKILL.md           # This file
├── scripts/
│   └── audit.js       # Main audit logic
└── references/
    └── ERC-8004.md    # ERC-8004 specification reference

Dependencies

  • ethers.js ^6.x - Ethereum blockchain interaction
  • node-fetch or built-in fetch - HTTP requests for off-chain metadata

Exit Codes

  • 0 - Audit completed successfully
  • 1 - Invalid agent address
  • 2 - Blockchain connection error
  • 3 - Critical error during audit

Notes

  • Requires internet connection for RPC calls and metadata fetching
  • Some checks require off-chain metadata fetching which may be slow
  • Reputation and validation registries are optional deployments

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

S³ Security Audit

Run security audits on codebases using static analysis, dependency scanning, and manual code review patterns. Covers OWASP Top 10, secrets detection, depende...

Registry SourceRecently Updated
2540Profile unavailable
Security

Memory Poison Auditor

Audits OpenClaw memory files for injected instructions, brand bias, hidden steering, and memory poisoning patterns. Use when reviewing MEMORY.md, daily memor...

Registry SourceRecently Updated
2580Profile unavailable
Security

NotaryOS

Seal AI agent actions with Ed25519 cryptographic receipts. Verify what your agent did and prove what it chose not to do.

Registry SourceRecently Updated
2781Profile unavailable
Security

AgentShield Scanner

Scan AI agent skills, MCP servers, and plugins for security vulnerabilities. Use when: user asks to check a skill/plugin for safety, audit security, scan for...

Registry SourceRecently Updated
3140Profile unavailable