Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenBotAuth
v0.1.1Get a cryptographic identity for your AI agent. Generate Ed25519 keys, sign your work, prove who you are — across any platform.
⭐ 0· 1.1k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (create and register an Ed25519 identity and sign HTTP requests) matches the SKILL.md instructions (generate keys, register with an OBA API, store keys locally). However the metadata claims no required binaries while the runtime instructions explicitly require Node.js (v18+), curl and optionally openssl. That mismatch is an incoherence: an agent or integrator would need Node/curl to run the provided commands, yet the manifest declares none.
Instruction Scope
Instructions are focused on key generation, local storage (~/.config/openbotauth/key.json), and one-time registration using a user-provided token. They explicitly warn not to keep the bearer token in the browsing runtime and to delete the token after registration. The skill tells the user to paste a token obtained from an external site (https://openbotauth.org/token) and to save registration info to agent memory/notes. These actions are consistent with the stated goal, but they involve handling sensitive material (private key and bearer token) and instruct the agent to write secrets to disk and to agent memory — the user should confirm they are comfortable with that and ensure the agent's memory is protected.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be downloaded or written by an installation step. That reduces installer risk. The runtime still relies on local execution of Node/curl/openssl commands per SKILL.md.
Credentials
The skill requests no environment variables or external credentials in the manifest. The runtime requires the user to supply a one-time OpenBotAuth bearer token (obtained through the external site) for registration and stores it temporarily under ~/.config/openbotauth/token. Requesting that token is proportional to the registration step, but the skill's manifest should have declared the runtime requirement for Node/curl/openssl and should explicitly warn about the sensitive nature of the token/private key.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It writes files only under the user's home directory (~/.config/openbotauth) which is appropriate for identity material. The SKILL.md advises secure file permissions (0700/0600) and to delete the token after use.
What to consider before installing
This skill largely does what it says (generate an Ed25519 keypair, store it locally, and register it with an OBA service), but before installing: 1) Confirm you have Node.js (v18+), curl and optionally openssl available — the SKILL.md requires them though the manifest does not declare them. 2) Verify the legitimacy of https://openbotauth.org and its token issuance flow before pasting any bearer token (the skill asks you to log in via GitHub and paste a token). 3) Understand that your private key will be stored unencrypted in ~/.config/openbotauth/key.json and a temporary token in ~/.config/openbotauth/token (the skill recommends deleting the token afterward) — protect those files and consider generating keys offline. 4) Prefer to run the provided node/curl commands locally yourself rather than pasting sensitive tokens into a chat window or allowing an autonomous agent to handle them. 5) Ask the publisher for source/homepage or a repository so you can audit the registration step and confirm the API endpoints used. If you cannot validate the remote service or the publisher, consider running the commands in a sandboxed environment or decline to install.Like a lobster shell, security has layers — review code before you run it.
latestvk970vbdw5wa789v80r1m7zhkyd814xpy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.