Agent Security Auditor
Skill by aviclaw
Why use this skill?
Secure your AI interactions with the Agent Security Auditor. Scan ERC-8004 agents for vulnerabilities, metadata flaws, and endpoint risks before you engage.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/aviclaw/agent-security-auditorWhat This Skill Does
The Agent Security Auditor is a specialized security tool designed for the OpenClaw ecosystem to vet ERC-8004 Trustless Agents before you interact with them. By systematically scanning an agent's on-chain registration and off-chain metadata, the auditor acts as a firewall between you and potentially malicious or poorly configured AI entities. It retrieves data from the Identity Registry, verifies endpoint authenticity, evaluates x402 payment configurations, and cross-references reputation data to provide a comprehensive risk profile. It effectively prevents the blind execution of tasks by flagging missing metadata, unverified domain proof, and suspicious network configurations that often characterize low-effort or phishing agents.
Installation
To integrate this security layer into your OpenClaw environment, use the CLI provided by ClawHub. Ensure you have Node.js installed on your machine, as the audit scripts rely on ethers.js for blockchain connectivity. Run the following command in your terminal:
clawhub install openclaw/skills/skills/aviclaw/agent-security-auditor
Once installed, verify the installation by checking your local skills directory for the existence of the audit.js script in the scripts/ folder.
Use Cases
This skill is essential for developers building agent-based dApps and end-users who frequently interact with autonomous agents. Developers can use it as a pre-flight check in automated pipelines to ensure only verified, secure agents are added to a whitelist. Researchers can use it to map the security posture of the ERC-8004 ecosystem. Everyday users should run this audit before granting an agent access to wallets or private data, ensuring that the agent has a verifiable reputation and correctly configured payment protocols.
Example Prompts
- "Audit the agent at address 0x742d35Cc6634C0532925a3b844Bc9e7595f8bE21 to see if it is safe to interact with."
- "Perform a security scan on the latest agent in the registry and save the report to security_check.json."
- "Check if the agent 0x123... has valid domain control proofs and a positive reputation score."
Tips & Limitations
The security auditor provides a risk assessment, not a guarantee of safety. Because the tool relies on external RPC providers and off-chain metadata fetching, performance may vary based on your network connection. Always verify the audit output for 'High Severity' flags, particularly those related to unverified endpoints. Note that reputation signals are optional; an agent without a reputation score is not necessarily malicious, just unproven. Ensure your RPC provider is reliable to avoid false positives in connectivity tests.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-aviclaw-agent-security-auditor": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: network-access, file-write, external-api
Related Skills
Zeroex Swap
Skill by aviclaw
slither-audit
Run slither static analysis on Solidity contracts. Fast, lightweight security scanner for EVM smart contracts.
solidity-guardian
Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matching + best practices from Trail of Bits, OpenZeppelin, and Consensys.
x-research
General-purpose X/Twitter research agent. Searches X for real-time perspectives, dev discussions, product feedback, cultural takes, breaking news, and expert opinions. Works like a web research agent but uses X as the source. Use when: (1) user says "x research", "search x for", "search twitter for", "what are people saying about", "what's twitter saying", "check x for", "x search", "/x-research", (2) user is working on something where recent X discourse would provide useful context (new library releases, API changes, product launches, cultural events, industry drama), (3) user wants to find what devs/experts/community thinks about a topic. NOT for: posting tweets, account management, or historical archive searches beyond 7 days.
token-budget-monitor
Track and control token consumption across OpenClaw cron jobs