ClawHub

Agent Passport

v1.0.0

Issue and verify SX# agent passports — cryptographic identity with hash-chain integrity, Merkle anchoring on Base

0· 103·0 current·0 all-time
byOrion@drivenbymyai-max
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (issue & verify SX# agent passports) matches the SKILL.md: all runtime instructions are HTTP curl calls to the declared third‑party service for registering, fetching passports, proofs, and Merkle verification. There are no unrelated env vars, binaries, or install steps requested.
Instruction Scope
Instructions only call the remote API endpoints and return/consume passport and proof data. This stays within the skill's stated scope, but the agent will transmit agent_id/display_name and may receive an api_key and full agent profile (trust, DNA, activity). That can expose agent metadata to the external service and the instructions note per‑call costs for verification. There is no instruction to read local files or unrelated system state.
Install Mechanism
No install spec and no code files — instruction-only skill with no on‑disk installation. This is the lowest install risk.
Credentials
The skill declares no required env vars or credentials, which is coherent. However, the register endpoint returns an api_key which the agent or user will need to store/use; consider how that key is handled. Also the endpoints are paid for per verification call (noted in SKILL.md), so credential/key handling plus billing is a practical consideration although not disproportionate to the purpose.
Persistence & Privilege
always:false and model invocation allowed (default). The skill does not request persistent system privileges or modify other skill configurations.
Assessment
This skill is coherent with its stated purpose but relies on a third‑party service (https://soul.sputnikx.xyz). Before installing, consider: (1) privacy — registering returns and likely stores full agent profile data and an api_key, so avoid sending secrets or private data to the service; (2) billing — verification and Merkle checks are charged per-call (the SKILL.md lists $0.05×402), so estimate costs before heavy use; (3) authenticity — verify the service/domain and its on‑chain anchoring claims (e.g., check BaseScan) if you rely on its proofs; (4) key handling — decide where and how the returned api_key will be stored and protected; (5) test manually first — run the provided curl commands in an isolated environment to observe responses and behavior. If the SKILL.md had asked the agent to read local files, environment secrets, or modify other skill configs, the assessment would be more concerning.

Like a lobster shell, security has layers — review code before you run it.

latestvk973zhn6w74a6ypgjns7n21cy583dn95

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments