Clawkey
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the registration flow proof that this agent controls its OpenClaw identity key and can link that identity to a human owner.
The skill asks the agent to access its local identity file and use a private key for signing. The artifact also clearly limits this use and says not to send the private key.
`~/.openclaw/identity/device.json` ... `privateKeyPem` | Use only locally to sign the message. **Never include in API requests.**
Use this only if you intend to register the agent identity with ClawKey, and verify that only the public key, message, signature, timestamp, and device ID are sent.
The agent will transmit registration data such as device ID, public key, message, signature, and timestamp to ClawKey.
The skill directs the agent to make external API calls to ClawKey with the generated registration challenge. This is expected for the stated identity-registration purpose.
POST challenge to https://api.clawkey.ai/v1/agent/register/init
Proceed only if you trust ClawKey for this identity flow and recognize the registration endpoint being used.
The human owner may share sensitive biometric or identity-verification information with VeryAI as part of completing registration.
The flow sends the human to an external verification provider for palm verification. The artifact discloses this, and it does not show the agent collecting biometric data directly.
the human opens a URL and completes VeryAI's palm verification
Review the ClawKey and VeryAI verification pages and privacy terms before completing palm verification.
If heartbeat behavior is enabled, the agent may periodically contact ClawKey to check whether the device is registered and verified.
The heartbeat instructions describe recurring registration-status checks against ClawKey. This is disclosed and limited to status verification.
_This runs periodically_ ... `curl https://api.clawkey.ai/v1/agent/verify/device/YOUR_DEVICE_ID`
Disable or ignore heartbeat checks if you do not want recurring status calls, especially when registration is not needed.