erc8004-agent-creator

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). This is a GitHub repo from an individual account (not a well-known vendor) that instructs running npx (which executes remote package code) and a Python patch script that overwrites files — actions that enable arbitrary code execution, so treat it as potentially unsafe unless you verify the repo and package contents and provenance.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs running the external CLI (npx create-8004-agent — referenced at https://github.com/Eversmile12/create-8004-agent), which at runtime fetches and executes remote code (the generator) and is a required dependency for scaffolding the agent, so it could directly control prompts/behavior; therefore it is a runtime external dependency of concern.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill explicitly scaffolds agents with blockchain payment functionality: it supports x402 payments, can generate an agent wallet (agentWallet can be left empty to let the wizard generate a new wallet), instructs the user to fund that wallet (testnet ETH or devnet SOL), and includes steps to "register on-chain" (e.g., npm run register). Those are specific crypto/blockchain financial operations (wallet creation/management and on-chain registration/payments), not merely generic tooling, so it grants direct financial execution capability.