Clawkey
PassAudited by ClawScan on May 1, 2026.
Overview
ClawKey is a coherent identity-verification skill, but users should understand that it uses the agent’s local identity key, contacts ClawKey/VeryAI, and may perform periodic registration-status checks.
Before installing or invoking this skill, make sure you want this agent registered under a verified human owner. Trust is mainly about the ClawKey and VeryAI services: the artifacts say the private key stays local, but the agent will send signed identity data to ClawKey and the human may complete biometric verification through VeryAI.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the registration flow proof that this agent controls its OpenClaw identity key and can link that identity to a human owner.
The skill asks the agent to access its local identity file and use a private key for signing. The artifact also clearly limits this use and says not to send the private key.
`~/.openclaw/identity/device.json` ... `privateKeyPem` | Use only locally to sign the message. **Never include in API requests.**
Use this only if you intend to register the agent identity with ClawKey, and verify that only the public key, message, signature, timestamp, and device ID are sent.
The agent will transmit registration data such as device ID, public key, message, signature, and timestamp to ClawKey.
The skill directs the agent to make external API calls to ClawKey with the generated registration challenge. This is expected for the stated identity-registration purpose.
POST challenge to https://api.clawkey.ai/v1/agent/register/init
Proceed only if you trust ClawKey for this identity flow and recognize the registration endpoint being used.
The human owner may share sensitive biometric or identity-verification information with VeryAI as part of completing registration.
The flow sends the human to an external verification provider for palm verification. The artifact discloses this, and it does not show the agent collecting biometric data directly.
the human opens a URL and completes VeryAI's palm verification
Review the ClawKey and VeryAI verification pages and privacy terms before completing palm verification.
If heartbeat behavior is enabled, the agent may periodically contact ClawKey to check whether the device is registered and verified.
The heartbeat instructions describe recurring registration-status checks against ClawKey. This is disclosed and limited to status verification.
_This runs periodically_ ... `curl https://api.clawkey.ai/v1/agent/verify/device/YOUR_DEVICE_ID`
Disable or ignore heartbeat checks if you do not want recurring status calls, especially when registration is not needed.