Skillv0.1.0

ClawScan security

Verified Agent Identity · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 6:04 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions ask you to run Node scripts and npm install to generate and store private keys, but no script files are packaged with the skill — this mismatch plus the npm install instruction (which can execute arbitrary code) is a red flag.
Guidance: Do not run the advised commands or `npm install` until you can verify the actual script files and package.json. Specifically: (1) Ask the skill author or the registry for the complete code bundle (scripts and package.json) or a trusted published release (e.g., GitHub repo and commit/release tarball). (2) Inspect package.json and the referenced .js files for network endpoints, npm postinstall scripts, or any code that writes or exfiltrates keys. (3) If you must test, do so in an isolated sandbox/VM and back up any existing keys; prefer generating identity keys offline or in a hardware signer rather than allowing an unfamiliar script to create and store private keys. (4) If the author cannot provide the code or a verifiable source, avoid installing — the instruction-only manifest with an npm install step and missing scripts is a meaningful red flag.
Findings: [no-findings] unexpected: The regex-based scanner found nothing because there are no code files to analyze, but SKILL.md references a scripts/ directory and multiple .js files that are not included in the bundle — this absence is itself an important finding.

Review Dimensions

Purpose & Capability: concernThe skill claims to provide scripts (createNewEthereumIdentity.js, linkHumanToAgent.js, etc.) to manage DIDs, which matches the stated purpose. However, the package contains no code files — only SKILL.md — so the claimed capabilities are not actually present in the bundle. Requiring the node binary is appropriate for the stated purpose, but the absence of the referenced scripts is a concrete incoherence.
Instruction Scope: concernThe runtime instructions direct the agent (or user) to run `cd scripts && npm install && node scripts/...` and to create and store private keys under $HOME/.openclaw/billions. These actions involve creating and handling sensitive cryptographic material and performing network interactions (registry/attestation), and the docs forbid manual mitigation — but the actual script files are not included. The instructions also omit explicit network endpoints and do not show how tokens/attestations are transmitted, reducing transparency.
Install Mechanism: concernThere is no formal install spec in the registry, yet the SKILL.md tells users to run `npm install` inside a scripts directory. Running `npm install` can execute arbitrary package scripts (postinstall, etc.), which is a high-risk operation unless you can inspect the package.json and node_modules. Because no code/package files are shipped with the skill manifest, it's unclear what would be installed or from where — this is disproportionate and risky.
Credentials: noteThe skill does not request any environment variables or external credentials (which is appropriate). However, it generates and persists private keys and DID material under $HOME/.openclaw/billions, which is sensitive. The skill's lack of declared credentials is consistent, but the local storage of cryptographic keys is a security-sensitive behavior users should be aware of.
Persistence & Privilege: noteThe skill persists identity material and challenges to $HOME/.openclaw/billions. It does not set always:true and does not request system-wide privileges, which is good, but persistent private key storage in the user's home directory increases the blast radius if the scripts are malicious or vulnerable.