Archon Keymaster
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears coherent for Archon DID and cryptographic workflows, but it legitimately handles wallet secrets, identity authority, external network messaging, and an unpinned npx CLI.
This skill is not suspicious based on the provided artifacts, but install it only if you intend to let it manage an Archon DID wallet. Protect `~/.archon.env`, the wallet file, and the recovery mnemonic; verify the `@didcid/keymaster` package before use; and ask for explicit confirmation before any command that publishes, revokes, transfers, deletes, or changes group membership.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wallet file, passphrase file, or displayed recovery mnemonic is exposed, someone could control or impersonate the user's Archon identity.
The skill explicitly requires and stores the wallet passphrase and accesses the encrypted wallet, which is expected for DID management but gives the scripts authority to sign, decrypt, issue, revoke, and act as the user's DID.
`ARCHON_PASSPHRASE` is stored in `~/.archon.env` ... `~/.archon.wallet.json` — encrypted wallet containing DID private keys
Use a dedicated wallet/persona where possible, keep `~/.archon.env` and the wallet private, never commit them, and avoid running identity-changing commands without explicit intent.
A changed or compromised npm package could affect wallet operations or access sensitive environment variables during script execution.
The scripts run the external `@didcid/keymaster` npm package through `npx` without a version pin in the provided artifacts; this is central to the skill, but the package will execute with wallet-related environment variables.
WALLET_OUTPUT=$(npx @didcid/keymaster create-wallet 2>&1)
Verify the upstream package and maintainer, consider pinning an audited version, and avoid running the scripts in environments with unrelated secrets.
An agent or user could publish, revoke, transfer, or otherwise mutate DID-related records if they run the wrong command or use the wrong target DID.
The skill exposes identity and registry mutation commands, including public credential publishing; this is purpose-aligned, but it can have lasting privacy or reputation effects.
This makes the credential publicly visible in your manifest ... npx @didcid/keymaster publish-credential "$CREDENTIAL_DID"
Require explicit user confirmation for publish, revoke, transfer, delete, and group-membership changes, and verify all DIDs and aliases before running them.
Encrypted content and associated metadata may leave the local machine and be stored or routed through Archon infrastructure or peer networks.
The skill sends DID messages or registry data through external Archon network components; this is disclosed and core to the purpose, but users still depend on correct recipient selection and the upstream encryption implementation.
Network: Data is encrypted before transmission to Archon gatekeeper/hyperswarm. Only intended recipients can decrypt.
Double-check recipient DIDs and aliases, avoid uploading sensitive files as plain assets unless you intend to share them, and use the encryption-specific commands for private data.