basename-agent

SUSPICIOUS: The skill’s crypto and WalletConnect capabilities match its stated purpose, and installs mostly use official npm/service domains. However, it enables autonomous onchain transactions, requires a raw private key for custom scripts, and supports broader WalletConnect dApp connections than simple Basename registration, making the overall risk high even without clear evidence of malware or credential exfiltration.

This module is an automated wallet+Puppeteer registration script that reads a user private key, extracts a WalletConnect URI from a webpage/clipboard, approves WalletConnect sessions, and then signs or sends transactions exactly as requested by the paired dapp. While this could be intended for Base name registration, the WalletConnect request handling lacks allowlisting/validation of requested transactions and would allow any malicious dapp behind a wc: URI to trigger arbitrary transaction signing/sending using the provided PRIVATE_KEY. The code also reads clipboard text and runs Puppeteer with sandbox disabled, increasing risk if the browser environment or webpage is compromised.