ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Verified Agent Identity

v0.1.0

Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify.

1· 176·0 current·0 all-time
byAgung Prabowo@agungprabowo123·duplicate of @obrezhniev/verified-agent-identity
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and scripts all implement decentralized identity (DID) creation, signing, linking, and verification for the Billions/iden3 ecosystem — this is coherent. Minor inconsistency: SKILL.md metadata declares required binaries (node, openclaw) but the registry 'Requirements' section earlier lists none; the runtime instructions also require running `npm install` in scripts. Those missing declarations are an information gap but not by themselves malicious.
Instruction Scope
Runtime instructions are limited to creating/listing identities, generating/signing/verifying challenges, and sending messages via the `openclaw` CLI. The scripts read/write files under $HOME/.openclaw/billions and call remote endpoints (RPC, resolver, attestation relay). The SKILL.md includes strict guardrails forbidding manual manipulation of those files, yet the code itself persists unencrypted keys and identity data — this is expected for the skill but worth noting as sensitive scope.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the README/SKILL.md instructs `cd scripts && npm install`. The package.json and package-lock.json use mainstream npm packages (iden3, polygonid, ethers, etc.), not arbitrary downloads. Installing dependencies via npm is moderate risk (supply-chain exposure); there are no obfuscated external downloads or URL shorteners.
!
Credentials
The skill does not request environment variables or external credentials, which is appropriate. However, it persistently stores private keys (kms.json) in plaintext JSON under $HOME/.openclaw/billions by default. The code does not explicitly set file permission mode; the README claims 'owner-readable only' but that is not enforced in code. The code also embeds and uses several external endpoints (rpc-mainnet.billions.network, attestation-relay.billions.network, wallet.billions.network, resolver.privado.id) and constructs callback URLs that include signed tokens — all expected for the protocol but they expose signed data to third parties. These practices are sensitive and deserve scrutiny relative to the stated purpose.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It persists cryptographic material and identity state under $HOME/.openclaw/billions and will keep a KMS and stored DIDs across runs; this is normal for an identity tool but increases the impact if the machine or skill is compromised.
What to consider before installing
What to consider before installing: - This package creates and stores private keys unencrypted in $HOME/.openclaw/billions/kms.json (and other identity files). If you install, expect long-lived plaintext key material on disk. Consider running in a sandbox, using an encrypted KMS, or adjusting file permissions (and verify permissions are actually enforced). - The skill will call external services (Billions RPC, attestation-relay, a DID resolver). The protocol embeds signed tokens into callback URLs; review those endpoints and privacy implications before using with production keys or real assets. - The repository expects Node >=20 and the openclaw CLI on PATH. The registry metadata omitted those required binaries — ensure you have the correct runtime installed and trust the openclaw binary before allowing it to send messages. - Installation requires running `npm install` (package-lock is provided). That pulls standard npm packages; consider auditing dependencies if you require high assurance. - The code validates inputs and uses execFileSync to call a fixed `openclaw message send` command; it applies tokenization and regex filtering to reduce shell-injection risk — but validation and sanitization are area to review if you expect untrusted input. - If you are not comfortable with plaintext key storage or with signing callbacks being sent to third-party relays, do not install or only use test identities in a controlled environment. If you want, I can list the exact files that write or read key material and suggest specific hardening changes (e.g., encrypt kms.json, set restrictive file modes, or switch to an OS-provided secure key store).
scripts/shared/utils.js:158
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b15fs45y3s9v8thyfdwcsks82vy92

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments