Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meverylucky AI Agent
v1.0.0Billions decentralized identity for agents. Link agents to human identities using Billions ERC-8004 and Attestation Registries. Verify and generate authentic...
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Billions decentralized identity, DID linking, signing/verifying challenges) matches the included scripts, which implement identity creation, JWS signing, challenge generation, pairing URL creation, and verification against Billions/Privado resolvers. Requiring the node binary is appropriate.
Instruction Scope
Runtime instructions tell the agent to run the provided Node scripts. The scripts operate only on a dedicated directory ($HOME/.openclaw/billions) and call specific network endpoints (rpc-mainnet.billions.network, resolver.privado.id, identity-dashboard.billions.network, attestation-relay.billions.network). These network calls are consistent with the skill's purpose, but signing produces JWS tokens that are embedded in callback URLs and are posted to the skill's own URL-shortener service (identity-dashboard) as part of pairing link generation — that behavior is expected for generating usable wallet links but worth noting as it transmits signed data to the project's services.
Install Mechanism
No arbitrary download/install spec in registry metadata; the skill includes Node scripts and a package.json/package-lock.json. Installation requires running 'npm install' in the scripts directory which pulls well-known npm packages (identified in package.json/lock). This is a standard pattern and proportionate for a Node-based identity toolkit.
Credentials
Registry metadata lists no required env vars, and none are mandatory at runtime. The code supports an optional environment variable BILLIONS_NETWORK_MASTER_KMS_KEY: when set, on-disk private keys in kms.json are encrypted with AES-256-GCM; when unset keys are stored as raw hex. The SKILL.md/README documents this. Because the variable controls local key encryption, users should set it if they do not want plaintext private keys on disk. No unrelated credentials or secret requests are present.
Persistence & Privilege
The skill does not request always:true and does not require system-wide configuration changes. It persists state and keys under $HOME/.openclaw/billions only (a directory explicitly described in README/SKILL.md). Autonomous invocation is allowed (normal default) but the skill itself does not add high privileges or modify other skills.
Assessment
This skill appears to implement what it claims: it creates and manages Billions Network DIDs, signs challenges, and generates verification links. Before installing: 1) Ensure you trust the Billions network endpoints (billions.network, identity-dashboard.billions.network) and resolver.privado.id because signed tokens and pairing requests are posted to those services. 2) Set BILLIONS_NETWORK_MASTER_KMS_KEY in the skill or environment to enable AES-256-GCM encryption of private keys in kms.json; otherwise private keys are stored as raw hex in $HOME/.openclaw/billions/kms.json. 3) Review the constants (callbackBase, urlShortener, transactionSender, attester values) to confirm they point to expected infrastructure and not a third-party you don't trust. 4) Running the skill requires npm install and Node >= v20 as documented; inspect dependencies if you need additional assurance. 5) The README/SKILL.md guardrails (don’t run system crypto tools, do not manually manipulate files) are meaningful — follow them. If you want stronger guarantees, review or run the scripts in an isolated environment and verify network calls (e.g., with outbound firewall rules) before using real private keys or production identities.Like a lobster shell, security has layers — review code before you run it.
latestvk977650c759cg1jf8k5gx2a46s83bj4k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode