OpenClaw BaseCred SDK

Check human reputation via Ethos Network, Talent Protocol, and Farcaster using the neutral basecred-sdk. Fetches composable reputation data without judgment - raw scores, levels, and signals for identity verification and trust assessment. Use when you need to check someone's onchain credibility, builder/creator scores, or Farcaster quality metrics.

What to check before installing/use: - Verify the repository and upstream SDK: review the source of @basecred/sdk (0.6.2) directly (npm registry + GitHub) to ensure the package hasn't been tampered with and its repository matches the package metadata in package-lock.json. - Inspect the skill source locally (scripts/lib/basecred.mjs and check-reputation.mjs). The code is short and readable: confirm it only calls getUnifiedProfile and does not perform unexpected network calls or shell execs. - Be aware the skill loads your ~/.openclaw/.env via dotenv. Remove or isolate unrelated secrets from that file (or create a dedicated ~/.openclaw/.env containing only TALENT_API_KEY/NEYNAR_API_KEY) if you don't want other environment variables made available to the skill. - The changelog/CHANGELOG.md states the project previously leaked API keys and that git history was scrubbed; this is a red flag you should investigate further: ask the maintainer for an audit report or proof of key rotation and verify package integrity (checksums, npm integrity fields). History rewriting can be legitimate (removing accidentally committed secrets) but also makes it harder to trace prior malicious changes. - Run the included test suite (npm install; npm test; ./test-isolation.sh) in an isolated environment before granting this skill access to production credentials. Confirm tests behave as expected and that network calls go only to the documented endpoints. - Consider provisioning ephemeral API keys or keys with minimal scope and rotating them after testing. If you operate in a security-sensitive environment, run the skill inside an isolated container or VM and monitor network traffic during the first runs. Given the coherent purpose and lack of obviously malicious code, this skill can be used, but the history-of-leaked-keys + git-history-scrub detail and the unconditional loading of ~/.openclaw/.env warrant cautious verification before trusting it with sensitive credentials.

Type: OpenClaw Skill Name: openclaw-basecred-sdk Version: 1.0.4 The skill is classified as benign. While the `CHANGELOG.md` and `README.md` transparently disclose past critical vulnerabilities, including accidentally leaked API keys and a non-portable hardcoded user path, these issues have been thoroughly remediated. The current code in `scripts/lib/basecred.mjs` securely loads credentials using `os.homedir()` and `path.join()` to `~/.openclaw/.env`, preventing directory traversal. Input validation for Ethereum addresses is present, and the skill's network access to Ethos, Talent Protocol, and Neynar APIs is directly aligned with its stated purpose of fetching public reputation data. There is no evidence of intentional malicious behavior, data exfiltration beyond stated purpose, or harmful prompt injection against the agent in the current version.