Skillv1.0.0

ClawScan security

Vai Layman88 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 9:31 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource access are consistent with its stated purpose (managing DIDs and signing/linking agent identities), but it stores private keys on disk by default, performs network calls to services in the Billions ecosystem, and can sign/send attestations — so you should review trust in the referenced domains and enable the master KMS key before use.
Guidance: This skill appears to do what it claims (manage DIDs, sign/verify challenges, create human-agent pairing URLs). Before installing: 1) Decide whether you trust the endpoints it contacts (resolver.privado.id, identity-dashboard.billions.network, attestation-relay.billions.network, rpc-mainnet.billions.network). 2) Protect your private keys by setting BILLIONS_NETWORK_MASTER_KMS_KEY in the skill config or environment — otherwise keys are stored in plaintext under $HOME/.openclaw/billions. 3) Be aware that an agent with this skill can run scripts that sign challenges and send signed tokens to external services; if you do not want the agent to act without explicit human confirmation, restrict autonomous invocation or avoid installing. 4) Running npm install will pull public npm packages; review package.json if you require extra assurance. If you want me to, I can extract the exact files that write keys and show the lines where network calls and file writes occur.
Findings: [pre-scan-injection-signals] expected: No pre-scan injection signals were detected. The skill contains many legitimate cryptographic and networking operations which explain the presence of network calls and JWS handling.

Review Dimensions

Purpose & Capability: okName/description (Billions identity, linking DIDs, signing/verification) match the included scripts, dependencies, and runtime behaviour. Required binary is node (correct for a Node.js toolkit) and the npm dependencies are appropriate for DID/JWS/EVM functionality.
Instruction Scope: noteRuntime instructions and SKILL.md align with the code (create identity, generate/sign challenges, create pairing URLs, verify signatures). The link/create pairing flow posts authorization request messages to a URL shortener service (identity-dashboard.billions.network) and constructs callbacks to attestation-relay.billions.network — this is expected for the described linking flow, but it means signed JWS tokens (attestations) are sent to these external services as part of normal operation. The SKILL.md includes guardrails but the code will perform network requests automatically when you run linkHumanToAgent/manualLinkHumanToAgent.
Install Mechanism: okNo opaque download/install spec; the package is a Node project with a package.json and package-lock referencing public npm packages. SKILL.md instructs running npm install locally (standard). No evidence of downloads from untrusted custom URLs or use of extract operations.
Credentials: noteThe skill optionally reads BILLIONS_NETWORK_MASTER_KMS_KEY to enable AES-256-GCM encryption of stored private keys — this is proportionate and documented in README/SKILL.md. However, if the env var is not set, private keys are persisted in plaintext under $HOME/.openclaw/billions (kms.json), so setting the master key or using secure skill env config is strongly recommended. No unrelated credentials are requested.
Persistence & Privilege: noteThe skill persists keys and metadata to $HOME/.openclaw/billions (expected for a DID tool). always:true is not set. Autonomous invocation is enabled by default for skills on the platform — that means an agent with this skill could run signing/linking flows and send signed tokens to the project's endpoints without a human pressing the local CLI. This is consistent with the skill's purpose but increases the operational risk if you do not trust the skill or the referenced services.