ClawHub

Openclaw Skill

v1.0.0

Identity infrastructure for AI agents — register identities, issue tokens, delegate to sub-agents, revoke credentials, manage policies

0· 54·0 current·0 all-time
by@abhijitjavelin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the requested resources: ZEROID_API_KEY and ZEROID_BASE_URL are exactly what a REST-based identity/credential-management integration would need. The declared required binary (curl) is appropriate.
Instruction Scope
SKILL.md contains explicit curl examples calling $ZEROID_BASE_URL endpoints to register agents, issue tokens, exchange/delegate tokens, revoke credentials, and manage policies. It does not instruct the agent to read unrelated files, other env vars, or external endpoints beyond the declared base URL.
Install Mechanism
No install spec or code is present; this is instruction-only. That minimizes disk-write and supply-chain risk; the skill does not download or execute third-party code.
Credentials
Only TWO env vars are required (ZEROID_API_KEY, ZEROID_BASE_URL), which is proportional. However, the API key is inherently high-privilege (it authorizes creating/revoking credentials and issuing tokens). Ensure the key you provide is scoped to the minimal privileges needed.
Persistence & Privilege
always:false (no forced permanent inclusion). Model invocation is enabled (default), which means the agent can autonomously call these identity APIs; combined with a broad administrative API key this raises operational risk if you do not want autonomous credential management.
Assessment
This skill is coherent with its stated purpose, but it performs high-impact identity operations. Before installing: 1) Only supply a ZEROID_API_KEY that is scoped with the minimum privileges needed (avoid a root/admin key). 2) Verify ZEROID_BASE_URL is the official/trusted endpoint (don’t point it at an unknown or third-party URL). 3) Prefer short-lived, scoped service credentials and enable audit logging on the ZeroID service so all creates/issuances/revocations are recorded. 4) Decide whether you want the agent to act autonomously with these powers; if not, restrict model invocation or require human approval for high-risk operations. 5) Review the upstream project (homepage) and run tests in a staging environment before granting access in production. If you can provide the exact privilege model for the ZEROID_API_KEY (scopes, allowed endpoints, and whether it can create API keys), I can raise or lower the concern level.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769gpbz0c7edjkb5ybka57zn84gpyv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binscurl
EnvZEROID_API_KEY, ZEROID_BASE_URL
Primary envZEROID_API_KEY

Comments