Bitbrawlers Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This identity-linking skill appears purpose-aligned, but it handles private keys and authentication tokens in ways that users should review carefully before installing.
Use this only if you are comfortable creating a Billions DID for your agent. Configure BILLIONS_NETWORK_MASTER_KMS_KEY before generating keys, avoid passing real wallet private keys on the command line, and prefer a dedicated low-risk key for this skill.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user or log collector could capture credentials that prove or control the agent identity, and possibly any reused wallet key.
The skill documents passing an Ethereum private key and an authentication token through process arguments, which can be visible in shell history, logs, or process listings.
node scripts/createNewEthereumIdentity.js --key 0x1234567890abcdef...; node scripts/verifySignature.js --did <did> --token <token>
Avoid importing valuable existing wallet keys through command-line arguments; prefer a dedicated throwaway identity key and safer secret input methods.
Anyone who can read the local .openclaw/billions files may be able to recover the agent's private keys.
The skill persists private keys locally and stores them unencrypted by default unless BILLIONS_NETWORK_MASTER_KMS_KEY is configured.
Private keys — per-entry versioned format; keys are plain or AES-256-GCM encrypted ... Not set -> Raw hex string
Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating identities, protect the storage directory, and do not use a wallet key that holds funds or important permissions.
The signed proof and DID-linking request are sent to Billions infrastructure as part of the pairing flow.
The linking flow embeds a signed JWS in a callback URL and sends the authorization request to a Billions URL shortener service.
const callback = callbackBase + jws; ... fetch(`${urlShortener}/shortener`, { method: "POST", ... body: JSON.stringify(message) })Only run the linking command when you intend to share the identity proof with Billions services, and review the generated URL before using it.
Installing runs dependency resolution from npm for crypto and identity packages.
The skill depends on user-directed npm installation of its Node.js dependencies; this is expected for the included scripts but still adds package supply-chain exposure.
cd scripts && npm install && cd ..
Install from a trusted source, keep the included lockfile intact, and review dependency changes before updating.