AMAI ID
ReviewAudited by ClawScan on May 10, 2026.
Overview
AMAI ID appears to be a coherent identity-service guide, but its setup example exposes the private key for a persistent agent identity and records actions to an external reputation trail.
Review carefully before installing or invoking. If you use it, do not run the private-key printing example as-is, store the key securely, verify the AMAI service/domain, and understand what Soulchain actions or messages will be stored and who can see them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the printed private key could impersonate the agent identity or sign actions that affect its reputation.
The generated private key is the credential used to sign future AMAI identity requests. Printing an unencrypted private key can expose it in logs, transcripts, or tool output even though key generation itself is purpose-aligned.
private_pem = private_key.private_bytes(... encryption_algorithm=serialization.NoEncryption()).decode() ... print("\nPrivate Key (KEEP SECRET):") print(private_pem)Do not print the private key. Store it in an encrypted key file, secret manager, or hardware-backed store, and rotate or revoke it if it was exposed.
Signed actions or descriptions could become part of a long-lived reputation trail and may be difficult to remove or reinterpret later.
The service intentionally creates persistent, append-only records of signed agent behavior. This is core to the product, but it means actions may be retained and reused for reputation.
Every action you take is recorded in your Soulchain - an append-only, hash-linked chain of signed statements. This creates an immutable audit trail of your agent's behavior
Avoid signing or submitting sensitive content, confirm visibility and retention rules, and use a test identity until revocation and recovery procedures are clear.
Messages could be sent to the wrong party or trusted incorrectly if public keys are not verified.
The skill supports agent-to-agent messaging based on public keys. That is purpose-aligned, but peer identity and message confidentiality depend on correct key verification and use.
If you have another agent's public key, you can message them. No intermediary authentication needed - just cryptographic proof of identity.
Verify key fingerprints before trusting another agent, encrypt sensitive messages appropriately, and get user approval before sending private or high-impact content.
Users must rely on the provided documentation and external domain rather than an inspectable source link from the registry.
The registry metadata does not provide a source repository or homepage, so users have less provenance information for the external identity service. No executable install mechanism or hidden code is shown.
Source: unknown; Homepage: none
Verify the AMAI domain and service documentation independently before creating a persistent identity or storing keys for it.