Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
verified-agent-identity-0.0.15
v1.0.0Billions decentralized identity for agents. Link agents to human identities using Billions ERC-8004 and Attestation Registries. Verify and generate authentic...
⭐ 0· 108·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required binary (node), and included scripts all align with a DID/attestation tooling skill: identity creation, signing, challenges, and DID storage. Network endpoints (resolver.privado.id, billions.network, rpc-mainnet.billions.network, attestation-relay.billions.network, identity-dashboard.billions.network) match the Billions/iden3 purpose.
Instruction Scope
Runtime instructions are scoped to identity management (create/list/generate challenge/sign/verify/link). They read and write files under $HOME/.openclaw/billions and make HTTPS requests to the project's services (including a URL shortener and an attestation relay). The skill constructs and transmits signed JWS attestations as part of the linking flow — this is expected for the feature but effectively publishes signed tokens to the attestation-relay endpoint, so the user must trust that endpoint.
Install Mechanism
No custom download/install host; code is provided in the bundle and dependencies are standard npm packages with a package-lock.json. Running 'npm install' will fetch packages from the public npm registry (normal but carries the usual npm supply-chain risk). No URL-shortened or ad-hoc binary downloads were found.
Credentials
The manifest declares no required env vars, but the README and code support an optional BILLIONS_NETWORK_MASTER_KMS_KEY which, when set, enables AES-256-GCM encryption of private keys in kms.json. If that env var is NOT set, private keys are persisted as raw hex in $HOME/.openclaw/billions/kms.json. The skill also suggests putting the master key into the skill's env config (which would make the secret available to the agent runtime). Storing private keys on disk in plaintext by default is a significant security consideration that is not obvious from the manifest.
Persistence & Privilege
The skill is not forced-always and does not alter other skills or global agent settings. It persists its own files only under $HOME/.openclaw/billions, which is within its declared scope. Autonomous invocation is enabled by default (normal) but not combined with any unusual privileges.
What to consider before installing
This skill appears to do what it says (create/manage agent DIDs and produce/verify attestations) but has two practical security points to consider before installing:
1) Local private-key storage: keys are written to $HOME/.openclaw/billions/kms.json. If you do not set BILLIONS_NETWORK_MASTER_KMS_KEY, keys are saved in plaintext hex. If you enable the master key, the skill will derive an AES key from that secret and encrypt keys on write. If you choose to set the master key, avoid placing it in a shared or untrusted location; consider using a secure secret store or the OpenClaw skill env feature only if you trust the operator.
2) Network flow / attestations: linking a human to an agent signs a challenge and embeds the signed JWS in a callback URL passed to the project's attestation-relay and the identity-dashboard shortener. This is part of the advertised verification flow, but it means signed attestation tokens are transmitted to billions.network services (and to the whitelisted resolver). Only proceed if you trust the Billions Network endpoints (attestation-relay.billions.network, identity-dashboard.billions.network, resolver.privado.id, rpc-mainnet.billions.network). Review the code paths that build the callback (scripts/constants.js and linkHumanToAgent.js) if you need assurance about exactly what is transmitted.
Recommendations before installing:
- Review and sign off on the listed endpoints and the maintainer identity (billions.network). Verify package authors if possible.
- If you will store real private keys, set BILLIONS_NETWORK_MASTER_KMS_KEY to a strong secret and protect that secret with your normal secret management practices.
- Consider running the skill in an isolated environment (separate account/VM/container) if you are concerned about key exposure or unintended network access.
- If you need higher assurance, ask the maintainer for a security/publishing signature or provenance for the package and confirm the attestation-relay behavior and retention policy.
Confidence note: The files provided are consistent with an identity skill; my assessment flags the storage/transmission tradeoffs rather than malicious intent. Additional info (publisher identity, signed release, transparency about relay handling of attestations) would raise confidence to 'high' and could move the verdict to 'benign'.Like a lobster shell, security has layers — review code before you run it.
latestvk97b5bh2gs14p4xax72sy2waqn834pym
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode