ClawHub

Agent Identity Protocol

v1.0.0

Cryptographic identity for AI agents. Register on-chain identity, sign messages, verify other agents, link platform accounts. Stake USDC to prove you're real. Built by g1itchbot for the USDC Hackathon.

3· 1.7k·5 current·6 all-time
by@rosepuppy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the code: scripts implement register, sign, verify, link, lookup, and vouch using on‑chain contracts and USDC staking. Required binary (node) and dependencies (viem, commander) are appropriate for the stated functionality.
Instruction Scope
Runtime instructions and CLI scripts stay within the identity domain (generate/import key, sign messages, write blockchain transactions, read registry). The skill stores a private key at ~/.agent-identity/key.json (expected for signing) and cautions about permissions. There are no instructions to read unrelated system files or to exfiltrate data, but storing a private key is sensitive and the scripts operate on user funds (USDC approvals and transfers).
!
Install Mechanism
The SKILL.md shows an explicit git clone from https://github.com/g1itchbot8888-del/agent-identity and npm install. However, the package as submitted already includes all scripts and package.json. That mismatch is concerning because following the README would fetch code from an external repo (potentially different/unvetted) instead of the packaged code. Flag: external clone instruction — higher risk if users follow it without reviewing the remote repo.
Credentials
The skill requests no environment variables and only requires node. The code reads/writes only ~/.agent-identity/key.json and uses process.env.REGISTRY_ADDRESS optionally to override the contract address (reasonable). No unrelated credentials or unrelated system config paths are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and only stores its own key and metadata under ~/.agent-identity. Autonomous invocation is allowed (platform default) but not combined with other broad privileges.
What to consider before installing
This skill appears to implement the on‑chain identity features it claims, but take these precautions before installing or running it: 1) Do NOT blindly run the SKILL.md git clone command — the packaged submission already contains the code; if you do fetch from GitHub, review that repository and commit history first. 2) The skill generates/stores a private key in ~/.agent-identity/key.json (saved in plaintext with restricted permissions). Treat that key like any private wallet key: use a dedicated key, consider a hardware wallet or separate signing key, and back it up securely. 3) Registering/vouching requires approving and staking USDC — you will move real (or testnet) funds; confirm contract addresses are correct (the 'base' entry defaults to the zero address here) and prefer using testnet first. 4) Verify the registry contract address and the repository/author identity (g1itchbot) before trusting vouches or staking real funds. 5) If you are not comfortable reviewing JavaScript, ask someone to audit the repo before use. These steps will reduce the risk of running code that could expose your signing key or approve ERC‑20 transfers to an unexpected contract.

Like a lobster shell, security has layers — review code before you run it.

latestvk9747y8we77db65ps4dx66gtvd80hg2d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binsnode

Comments