ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Archon Keymaster

v0.1.4

Core Archon DID toolkit - identity management, verifiable credentials, encrypted messaging (dmail), Nostr integration, file encryption/signing, aliasing, aut...

0· 483·0 current·0 all-time
by@macterra
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (DID toolkit, credentials, encrypted messaging, Nostr, file crypto, groups/polls) match the provided scripts and SKILL.md. Requested binaries (node, npx, jq, openssl) and env vars (ARCHON_WALLET_PATH, ARCHON_PASSPHRASE, ARCHON_GATEKEEPER_URL) are what the scripts need.
Instruction Scope
SKILL.md and the scripts consistently instruct the agent to create and source ~/.archon.env, read/write a wallet file (default ~/.archon.wallet.json), and invoke npx @didcid/keymaster for operations. The instructions require storing the wallet passphrase in ~/.archon.env (documented), which is sensitive but corresponds to non-interactive scripting needs.
Install Mechanism
There is no install spec in the registry, but the skill bundles many shell scripts. Runtime relies heavily on npx @didcid/keymaster (remote package execution via npm). Using npx implies fetching/executing code from the package registry at runtime — a moderate supply-chain risk compared with purely local binaries.
Credentials
Requested env vars are proportional to the stated purpose (wallet path, passphrase, gatekeeper URL). However, the skill persists ARCHON_PASSPHRASE in plaintext in ~/.archon.env by design; this is necessary for non-interactive use but increases the risk if the file or machine is compromised.
Persistence & Privilege
Skill does not request always:true and makes no changes to other skills or global agent config. It writes only its own environment file and wallet by design; these are expected for a local key management tool.
Assessment
This skill appears to do what it claims (a local DID/key management toolkit), but it handles highly sensitive secrets and uses npx to invoke @didcid/keymaster (which will fetch/execute code from the npm registry). Before installing or running: 1) verify the provenance of the package and repository (there's no homepage listed and source is 'unknown'); 2) audit the @didcid/keymaster package or prefer installing it locally from a pinned, reviewed artifact instead of using npx; 3) protect ~/.archon.env (chmod 600) and consider using an interactive passphrase or an HSM/agent-specific secret store rather than a plaintext env file; 4) if you must use a remote gatekeeper, verify its URL and trustworthiness; 5) run the scripts in an isolated environment (container or dedicated machine) until you have audited the code. If you want a higher-confidence verdict, provide the upstream repository or signed package checksum so provenance and supply-chain can be verified.

Like a lobster shell, security has layers — review code before you run it.

latestvk974scycppsfazm6xgmvwjf92n81v6gs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binsnode, npx
Any binjq, openssl
EnvARCHON_WALLET_PATH, ARCHON_PASSPHRASE, ARCHON_GATEKEEPER_URL
Primary envARCHON_PASSPHRASE

Comments