ClawHub

AMAI ID

v1.0.0

Soul-Bound Keys and Soulchain for persistent agent identity, reputation, and messaging. The identity primitive for the agentic web.

1· 1.7k·1 current·1 all-time
by@gonzih
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description describe an identity/reputation service; the SKILL.md only asks the agent to generate keypairs, sign messages, and call the listed API endpoints (https://id.amai.net). No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
Instructions stay within identity use (key generation, signing, registering, querying identities). However the examples print the private key and give no secure storage guidance — that risks accidental leakage via logs or console. Also the guide assumes the agent will make network calls to the external base_url; users should verify that endpoint.
Install Mechanism
Instruction-only skill with no install spec and no code files — no additional packages are installed by the skill itself. The only requirement noted is a cryptography library for Ed25519 signing, which is proportional to the stated purpose.
Credentials
No environment variables, credentials, or config paths are requested. The lack of extra secrets is consistent with a service that uses locally-held private keys for authentication.
Persistence & Privilege
always is false and the skill does not request system-level persistence or modify other skills. Autonomous invocation is allowed (platform default) but not coupled with broad privileges here.
Assessment
This skill appears internally consistent for an identity service, but take these precautions before installing: - Verify the service and domain (https://id.amai.net) and the organizaton behind the skill — the registry metadata shows no homepage and an opaque owner id. - Never print or log your private key; the examples print it to stdout which can leak credentials. Store private keys in a secure keystore or secret manager and avoid exposing them to logs or shared consoles. - Confirm TLS and certificate validity for the endpoint and consider testing with a throwaway identity first. - Review legal/financial implications before posting any bond or identity that can be slashed (the marketing suggests on-chain or financial enforcement features). - If you need higher assurance, ask the publisher for source code, API documentation, or a verifiable homepage; that would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pm3atwwbefjmd73wexc4kd80ge1b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments