Agent Credential Wallets: Verifiable Intent & Delegation Chains
v1.3.1Agent Credential Wallets: Verifiable Intent & Delegation Chains. Build agent credential wallets with Verifiable Intent, SD-JWT delegation chains, cross-proto...
⭐ 0· 95·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is a guide for building agent credential wallets and repeatedly references the GreenHelix A2A Commerce Gateway API; requiring GREENHELIX_API_KEY is expected. However, the front-matter and metadata declare the API key as required while the notice in the document also states the sandbox provides 500 free credits and "no API key required to get started" — that contradiction should be clarified.
Instruction Scope
This is an instruction-only guide with illustrative Python examples; calling the GreenHelix API and showing how to handle credentials is within scope. Because the full SKILL.md is large and truncated here, I can't confirm there are no instructions that read other environment variables, access unrelated system files, or direct credentials to external endpoints — you should scan the doc for any steps that collect or transmit secrets beyond GREENHELIX_API_KEY.
Install Mechanism
No install spec and no code files — instruction-only. That minimizes disk footprint and install risks (no external downloads or extracted archives).
Credentials
The single required env var (GREENHELIX_API_KEY) is proportionate to a guide that demos an API gateway. The skill's metadata marks this as the primary credential and notes read/write access to purchased API tools — that is powerful, so prefer a least-privilege/test key and confirm whether examples require any private key material or long-lived credentials before supplying production secrets.
Persistence & Privilege
The skill is not always-enabled and does not request system config paths or persistent privileges. It does not include an install step that would alter agent configuration.
Assessment
This appears to be a coherent, documentation-only skill that legitimately uses a GreenHelix API key. Before installing or invoking it: (1) confirm the author/source (no homepage is provided); (2) prefer a limited-scope or sandbox API key (do not provide a production key); (3) inspect the full SKILL.md for any steps that read other env vars, access local files, or upload keys/credentials to third-party endpoints; (4) rotate/revoke the key after testing; (5) run examples in an isolated/test account; and (6) ask the publisher to clarify the contradictory note about "no API key required" vs. the declared required env var. If you want, paste the full SKILL.md (or the code example sections) and I can check specifically for any instructions that would exfiltrate or mishandle credentials.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk97avydzh7bpwkt5dsfjcfvwkd84x5qrcredentialsvk97avydzh7bpwkt5dsfjcfvwkd84x5qrdelegationvk97avydzh7bpwkt5dsfjcfvwkd84x5qreidasvk97avydzh7bpwkt5dsfjcfvwkd84x5qrgreenhelixvk97avydzh7bpwkt5dsfjcfvwkd84x5qrguidevk97avydzh7bpwkt5dsfjcfvwkd84x5qridentityvk97avydzh7bpwkt5dsfjcfvwkd84x5qrlatestvk97avydzh7bpwkt5dsfjcfvwkd84x5qropenclawvk97avydzh7bpwkt5dsfjcfvwkd84x5qrsd-jwtvk97avydzh7bpwkt5dsfjcfvwkd84x5qrverifiable-intentvk97avydzh7bpwkt5dsfjcfvwkd84x5qrwalletsvk97avydzh7bpwkt5dsfjcfvwkd84x5qr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvGREENHELIX_API_KEY
Primary envGREENHELIX_API_KEY