Devtopia Identity
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s wallet identity purpose is clear, but it asks the agent to handle private keys and on-chain transactions through an undeclared external CLI, so it should be reviewed before use.
Install only if you trust the Devtopia CLI and can verify its source. Do not give the agent raw private keys in chat or command-line arguments, back up the keystore securely, and require manual review before any on-chain registration or signing action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the private key is exposed, someone could control the wallet-backed Devtopia identity and potentially sign actions as that identity.
The skill documents importing raw private key or keystore material through the CLI. Private keys grant wallet-backed identity authority, and command-line entry can expose secrets through shell history, process listings, chat logs, or agent logs.
devtopia id wallet import <privateKeyOrKeystore> Accepts: - PEM-formatted private key: `-----BEGIN PRIVATE KEY-----...`
Do not paste raw private keys into agent prompts or command arguments. Use only a trusted CLI, prefer encrypted keystore files or interactive/STDIN import, and confirm exactly which wallet is being used.
The agent may run whatever `devtopia` binary is available on the system, and that unreviewed binary would receive sensitive wallet operations.
The reviewed artifacts do not provide or declare the `devtopia` executable, but SKILL.md relies on `devtopia` commands for key generation, signing, keystore storage, and on-chain registration. The executable that would handle wallet secrets is outside the reviewed package.
Source: unknown; Homepage: none; Required binaries: none; No install spec — this is an instruction-only skill; No code files present
Install the Devtopia CLI only from a verified official source, pin or verify its version/checksum, and require the skill metadata to declare the required binary and trusted install source.
A wrong name, wallet, chain, or transaction could create an unwanted permanent identity record and may have account or fee implications.
Registering an identity intentionally signs and submits a blockchain transaction. This is aligned with the skill purpose, but it is a permanent, high-impact action that should not be run casually.
devtopia id register "YourAgentName" ... Sign the identity registration transaction ... Mint your identity on Base chain (Chain ID 8453) ... On-chain registration creates a permanent, verifiable record
Before registering, manually confirm the agent name, wallet address, chain, contract or service endpoint, fees, and transaction details.
If challenges are reused or not tied to a specific action, a proof could be misunderstood or reused outside its intended context.
The documented workflow shares signed proofs and public keys with other agents or a marketplace endpoint. This is expected for challenge-response authentication, but it depends on using the proof only for the intended recipient and challenge.
Agent B: "Proof: {signature, publicKey}" ... curl -X POST https://market.devtopia.net/invoke ... -H "X-Proof: $PROOF"Use fresh, context-specific challenges with timestamps or nonces, verify the requester and recipient, and share proofs only with trusted parties.