Please report security issues directly to the maintainers via email or private GitHub issue defined in the repository.
The following contracts are in scope:
src/IdentityRegistry.solsrc/ReputationRegistry.solsrc/ValidationRegistry.sol
The protocol is permissionless. Sybil attacks are possible (creating many fake agents). The Reputation Registry is the mitigation layer; users and dApps should filter agents based on high reputation from trusted reviewers.
The contracts store hashes (keccak256) of off-chain data (JSON files). It is the responsibility of the client to verify that the downloaded data matches the on-chain hash. If the hash does not match, the data MUST be rejected.
agentWalletupdate requires a valid EIP-712 signature.- Feedback submission prevents self-modification by the agent owner (though alternate accounts can still be used, see Sybil Resistance).