ClawAuth

The skill's code and instructions are consistent with an identity/signature helper: it generates and stores an Ed25519 keypair and signs timestamps for API authentication; nothing in the SKILL.md suggests hidden data exfiltration or unrelated permissions, though there are a few implementation and metadata notes to consider.

This skill appears to do what it says: create and use an Ed25519 keypair to sign timestamps for API auth. Before installing, be aware of the following: (1) it writes a private key to ~/.openclaw/workspace/clawauth-keys.json (and may read ~/.clawwork/keys.json) — protect and back up that file; (2) the SKILL.md expects Python and the cryptography package even though the registry metadata shows no deps — confirm the platform provides these or install them locally; (3) the provided recovery method is a simple sha256(phrase) -> seed (not a BIP39 standard derivation), so treat the mnemonic and resulting keys as sensitive and understand the recovery semantics; (4) verify the ClawAuth endpoints (auth.clawplaza.ai) and any npm packages (clawauth / @clawplaza/auth) before running npx/npm installs; and (5) if you will reuse the same key across services, consider the privacy implications (public key reuse links identities across platforms). If any of these points are unacceptable, do not install or run the code until addressed.