ClawHub

Bitcoin Identity

v0.1.1

Integrate HODLXXI as a Bitcoin-native identity provider that bridges OAuth2/OIDC, Lightning LNURL-Auth, and a minimal signed inter-agent execution loop for s...

1· 1.5k·0 current·0 all-time
by@hodlxxi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (HODLXXI Bitcoin identity, OIDC, LNURL-Auth, JWT) match the provided instructions, templates, and verify_signature helper. Declared dependencies (python, ecdsa, pyjwt, requests, curl) are expected for the documented flows.
Instruction Scope
SKILL.md limits actions to interacting with the configured BASE_URL, registering OAuth clients, performing OAuth flows, starting/polling LNURL-Auth sessions, fetching JWKS, and optional signed inter-agent message round-trips. It does not instruct the agent to read unrelated system files or to exfiltrate data to unexpected endpoints. The inter-agent execution feature is explicitly scoped as a minimal signed protocol (no autonomous spending or negotiation).
Install Mechanism
This is an instruction-only skill with no installer; it recommends pip installing ecdsa, pyjwt, and requests. Installing PyPI packages is expected for the provided Python helper script but carries the usual supply-chain considerations (use virtualenv/locking/pinning in production).
Credentials
The skill declares no required environment variables or credentials. The instructions legitimately require OAuth client_id/client_secret and an access token when calling billing endpoints; those are appropriate and the doc explicitly advises storing secrets securely.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and includes no install-time persistence. Autonomous model invocation remains allowed (platform default) but the skill's instructions do not ask for elevated system privileges.
Assessment
This skill appears internally consistent for integrating a HODLXXI OIDC/LNURL-Auth identity surface. Before installing: (1) only point BASE_URL to a deployment you trust (the skill will send auth flows and tokens there); (2) keep client_secret and access tokens in a secrets manager and avoid pasting them into logs or chat; (3) run pip installs in a virtualenv and pin versions to reduce supply-chain risk; (4) review the verify_signature.py script if you plan to run it (it depends on ecdsa and expects raw/DER signatures); (5) be cautious about enabling any automatic acceptance/execution of incoming signed job proposals—do not auto-execute jobs from untrusted agents. If you need higher assurance, request the skill author/package maintainer to provide pinned dependency versions, release artifacts on a known source (GitHub release tag), and more detailed security docs for the inter-agent execution protocol.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wby7vhrkyfnhz0nqh2sdph83kxvm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments