ClawHub
Back to skill
v1.0.0

Irenk_FNG

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 3:23 AM.

Analysis

This identity skill is purpose-aligned, but it asks you to run unreviewed Node scripts and pass sensitive keys or tokens on the command line.

GuidanceReview this carefully before installing. The identity purpose is legitimate, but do not run missing or unreviewed scripts with private keys, JWTs, or wallet-linked identity material. Ask the publisher for the complete scripts, package files, and safer secret-handling instructions before using it with real credentials.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityHighConfidenceHighStatusConcern
SKILL.md
`cd scripts && npm install && cd ..` followed by `node scripts/createNewEthereumIdentity.js`

The reviewed package is described as instruction-only with no code files present, but the skill instructs users to install dependencies and run helper scripts from a scripts directory. Those helpers and dependency manifests are not in the supplied artifacts, yet they would handle identity creation, signing, linking, and credential material.

User impactYou would be trusting unreviewed code or dependencies to create identities, handle keys, sign challenges, and link a human identity to an agent.
RecommendationInstall only if the referenced scripts and dependency files are provided from a trusted source and reviewed. Avoid running npm install or Node helpers that are not included in the artifact you are approving.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
`node scripts/createNewEthereumIdentity.js --key <privateKeyHex>` and `node scripts/verifySignature.js --did <did> --token <token>`

The skill documents passing private keys and authentication/signature tokens as command-line arguments. These are high-value identity credentials and can be exposed through process arguments, shell history, logs, or agent-visible command transcripts.

User impactA private key or token entered this way could be accidentally revealed, allowing someone else to impersonate or control the associated identity.
RecommendationDo not pass real private keys or sensitive tokens on the command line. Prefer a reviewed flow that uses secure prompts, environment variables with care, a wallet/KMS integration, or another secret-handling mechanism that avoids argv exposure.
Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`All identity data is stored in $HOME/.openclaw/billions` and `The created identity is automatically set as default.`

Persistent local identity state is expected for this kind of skill, but it means the skill creates and reuses durable identity material on the user's machine.

User impactFuture uses of the skill may rely on the locally stored default identity, so compromise or confusion around that directory could affect identity operations.
RecommendationTreat $HOME/.openclaw/billions as sensitive. Review what is stored there, protect local file permissions, and remove identities you no longer intend to use.