holdcc_eth
Security checks across malware telemetry and agentic risk
Overview
This skill has an understandable identity purpose, but it asks users to run missing Node scripts that would handle private keys, authentication proofs, and human-agent identity linking.
Review this skill carefully before installing. Do not use a main wallet private key, confirm the referenced scripts and dependencies are actually included and reviewed, and require explicit user approval for every signing or human-identity-linking action.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You cannot verify what code would run or how it would handle identity keys and authentication tokens; the skill may fail as packaged or require unreviewed code from somewhere else.
The provided artifact set contains only SKILL.md with no scripts or install spec, but the skill's main workflow depends on npm dependencies and Node scripts that are not present for review.
cd scripts && npm install && cd .. node scripts/createNewEthereumIdentity.js node scripts/linkHumanToAgent.js --challenge
Only use this if the package includes the referenced scripts, package files, and pinned dependencies, and review them before running any identity or key-handling commands.
A valuable wallet or identity key could be used to authenticate or create identity links that affect account control, reputation, or public attestations.
The skill can import or use private keys, sign authentication proofs, send a token, and link a human identity to an agent identity, but the provided artifacts do not clearly bound approval, destination, or credential-handling details.
node scripts/createNewEthereumIdentity.js [--key <privateKeyHex>] ... Signs a challenge with a DID's private key ... sends the JWS token ... links a human user to the agent's DID
Use a fresh, dedicated low-value key if testing; do not pass a main wallet private key; explicitly approve each signing or linking action and confirm where any token is sent.
Identity records or challenge history may remain on disk and could be reused or exposed if the local machine or OpenClaw directory is compromised.
Persistent local identity and challenge data are disclosed and scoped, but the artifacts do not explain retention, encryption, or whether stored identity data includes signing material.
All identity data is stored in `$HOME/.openclaw/billions` ... Stores challenge associated with the DID in `$HOME/.openclaw/billions/challenges.json`
Review the contents and permissions of the storage directory, back up or delete it intentionally, and avoid storing sensitive signing keys unless you understand how they are protected.