Verified Agent Identity
WarnAudited by ClawScan on May 13, 2026.
Overview
The skill is purpose-aligned, but it handles private keys and paid requests in risky ways that users should review before installing.
Install only if you are comfortable giving this skill control of a dedicated agent identity key and possibly x402 payment signing. Before first use, set BILLIONS_NETWORK_MASTER_KMS_KEY, restrict ~/.openclaw/billions permissions, never import a funded Ethereum wallet key, avoid passing secrets on the command line, and carefully review every payment URL, amount, asset, and network before confirming.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked key could let another process or person impersonate the agent identity, and if the user reuses an asset-holding wallet key, the impact could extend to funds.
The documented flow allows importing an Ethereum private key through a command-line argument. Command-line arguments can be exposed via shell history, process listings, logs, or monitoring tools.
BILLIONS_NETWORK_MASTER_KMS_KEY="<your-strong-secret>" node scripts/createNewEthereumIdentity.js --key <your-ethereum-private-key>
Do not pass wallet or identity private keys on the command line. Use a dedicated no-assets identity key, prefer generated keys, and ask the publisher to support stdin, a secure keystore, or another non-argv import method.
Anyone or any process that can read the storage directory may be able to use the agent identity key, and possibly a reused wallet key.
The skill explicitly stores identity private keys persistently and leaves them plaintext unless the optional master key is configured.
kms.json — CRITICAL: Contains private keys (encrypted if BILLIONS_NETWORK_MASTER_KMS_KEY is set, otherwise plaintext)
Set BILLIONS_NETWORK_MASTER_KMS_KEY before first use, run chmod 700 ~/.openclaw/billions, never import a funded wallet key, and consider rotating any key created before encryption was enabled.
If the user confirms the wrong payment option, the skill may send a valid payment signature and fetch a paid resource.
The payment behavior is disclosed and includes a confirmation step, but it still grants the agent a high-impact capability to create signed payment headers.
Once the user selects (or confirms) a payment, call the script again with the chosen --paymentHash ... the script signs the payment, sends it, and returns the result.
Before authorizing the second call, verify the resource URL, amount, asset, network, and payment hash; decline unclear or unexpected payment requests.
A user may believe the skill only contacts the listed identity-provider domains while the payment flow can contact other resource hosts chosen by a 402 challenge.
This network-scope claim is incomplete because the provided x402 script fetches paymentRequired.resource.url and sends a PAYMENT-SIGNATURE header to that resource provider, which may be outside the listed domains.
All network calls are directed to legitimate DID resolvers (resolver.privado.id) or the project's own infrastructure (billions.network) ... Whitelisted domains: resolver.privado.id, billions.network, polygonid.me
Treat x402 resource providers as additional network destinations. The publisher should document this clearly and consider enforcing HTTPS or explicit allowlisting for paid resource URLs.
Installing dependencies runs third-party package installation in the user's environment.
The skill requires installing Node dependencies before use. This is expected for the included scripts, but it expands the local supply-chain surface.
cd scripts && npm install && cd ..
Install in an isolated environment where possible and review package.json/package-lock.json before running the scripts.