Skillv1.0.0

ClawScan security

Project Desapetc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 6:14 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and network calls are coherent with its stated purpose (creating, signing, linking and verifying decentralized identities); nothing in the bundle indicates it is doing unrelated or hidden actions, though there are important operational security considerations (local key storage, npm install, external endpoints).
Guidance: This package appears to do what it claims, but take these precautions before installing or using it: - Protect private keys: set BILLIONS_NETWORK_MASTER_KMS_KEY (e.g., via the skill's env config) so kms.json entries are encrypted; otherwise keys are written in plaintext to $HOME/.openclaw/billions/kms.json. - Review and trust endpoints: the code calls resolver.privado.id, rpc-mainnet.billions.network, identity-dashboard.billions.network and attestation-relay.billions.network. Confirm you trust these domains before sending attestations or using generated links. - Review package dependencies (npm install): SKILL.md asks you to run npm install inside scripts. Inspect package-lock.json and package.json (included) and consider running installs in an isolated environment if you are cautious. - Invocation policy: the skill can sign challenges using local keys. If you require human approval for any attestation/linking, restrict autonomous invocation or require manual invocation by the user/agent. - Audit constants and callbacks: confirm callbackBase and verifierDid values are expected for your deployment; these determine where attestations are delivered. If you want higher assurance, ask the publisher for provenance (git repo, release signatures), or run the scripts in an isolated VM/container and manually inspect network traffic during a test run.

Review Dimensions

Purpose & Capability: okName/description (Billions/iden3 DID management) match the included scripts: identity creation, challenge generation, signing, linking and verification. Required binary (node) is appropriate and no unrelated credentials or unusual binaries are requested.
Instruction Scope: noteSKILL.md instructs running npm install in scripts and executing the provided node scripts. The scripts only access $HOME/.openclaw/billions, perform DID operations, and call a small set of network endpoints (resolver.privado.id, rpc-mainnet.billions.network, identity-dashboard.billions.network, attestation-relay.billions.network) consistent with the described workflow. Guardrails are present in SKILL.md. Note: scripts will persist private keys and other identity data to disk; they also perform external HTTP calls (including to a URL shortener) as part of creating wallet links.
Install Mechanism: noteThere is no registry-level install spec, but SKILL.md explicitly tells users to run 'cd scripts && npm install'. That pulls packages from the public npm registry (package-lock.json is present and pins common iden3/ethers packages). This is expected for Node-based DID tooling; it's a moderate-risk install vector compared to 'download-and-extract' from an arbitrary URL but not unusual. No install-time post-install scripts were observed in the included package.json.
Credentials: noteThe skill declares no required env vars but supports an optional BILLIONS_NETWORK_MASTER_KMS_KEY to enable AES-256-GCM encryption of on-disk private keys. If that env var is absent, private keys are stored in plaintext under $HOME/.openclaw/billions/kms.json. The request for a KMS key is proportional to the feature, but leaving it unset materially increases risk and should be considered before use.
Persistence & Privilege: okThe skill persists identity material in $HOME/.openclaw/billions (kms.json, identities, challenges, etc.), which is consistent with its purpose. It does not request 'always: true' or attempt to modify other skills. Note: because the skill can sign challenges using local keys, an agent invoking the skill autonomously could sign attestations — consider invocation policy if you want manual control.