basecred
Enables verification of on-chain reputation for individuals, helping agents assess trustworthiness and manage access based on reputation.
Install this skill
Security score
The basecred skill was audited on Mar 1, 2026 and we found 24 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 38 | | reference.md | https://www.zkbasecred.xyz/reference.md | For full API specs & webhooks | |
Webhook reference - potential data exfiltration
| 74 | - _(Optional)_ A **webhook URL** to receive event notifications (must be HTTPS) |
Webhook reference - potential data exfiltration
| 85 | > Optionally, if you'd like to receive webhook notifications when reputation events occur, provide an HTTPS webhook URL. |
Webhook reference - potential data exfiltration
| 87 | Wait for the wallet address and Telegram handle before proceeding. The webhook URL is optional. If your owner provides a wallet address, verify it looks like a valid Ethereum address (starts with `0x` |
Webhook reference - potential data exfiltration
| 99 | "webhookUrl": "https://example.com/webhook" |
Webhook reference - potential data exfiltration
| 105 | `webhookUrl` is **optional**. If provided: must be HTTPS, must not point to private/local addresses, max 512 characters. |
Access to hidden dotfiles in home directory
| 47 | 1. Load credentials from ~/.config/zkbasecred/credentials.json |
Access to hidden dotfiles in home directory
| 119 | **Immediately after a successful response**, compute `SHA256(apiKey)` and save credentials to `~/.config/zkbasecred/credentials.json`: |
Access to hidden dotfiles in home directory
| 280 | **Self-registration** (recommended): Credentials are stored in `~/.config/zkbasecred/credentials.json` after completing the registration flow above. |
Unicode escape sequences
| 8 | emoji: "\U0001F6E1\uFE0F" |
External URL reference
| 5 | homepage: https://www.zkbasecred.xyz |
External URL reference
| 10 | api_base: "https://www.zkbasecred.xyz/api/v1" |
External URL reference
| 19 | | **SKILL.md** (this file) | `https://www.zkbasecred.xyz/skill.md` | |
External URL reference
| 20 | | **skill.json** (metadata) | `https://www.zkbasecred.xyz/skill.json` | |
External URL reference
| 36 | | skill.md | https://www.zkbasecred.xyz/skill.md | Always (this file) | |
External URL reference
| 37 | | reporting.md | https://www.zkbasecred.xyz/reporting.md | Before generating reports | |
External URL reference
| 38 | | reference.md | https://www.zkbasecred.xyz/reference.md | For full API specs & webhooks | |
External URL reference
| 92 | POST https://www.zkbasecred.xyz/api/v1/agent/register |
External URL reference
| 99 | "webhookUrl": "https://example.com/webhook" |
External URL reference
| 113 | "claimUrl": "https://www.zkbasecred.xyz/agent/claim/abc123...", |
External URL reference
| 160 | GET https://www.zkbasecred.xyz/api/v1/agent/register/{claimId}/status |
External URL reference
| 183 | POST https://www.zkbasecred.xyz/api/v1/agent/check-owner |
External URL reference
| 272 | You **MUST** use the standardized report format in **reporting.md** when delivering results. Load it from `https://www.zkbasecred.xyz/reporting.md` before generating any report. Do NOT improvise your |
External URL reference
| 314 | Your credentials should ONLY appear in requests to `https://www.zkbasecred.xyz/api/v1/*`. |
Install this skill with one command
/learn @teeclaw/basecred