Agent Identity Protocol
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its identity purpose, but it can use a stored wallet key to approve and stake USDC, and its JSON mode skips the confirmation path.
Install only if you are comfortable treating this as wallet software. Use a new low-value key, do not import a valuable wallet, protect the key file, verify the contract address/source and withdrawal path, and require explicit human approval before any register, vouch, USDC approval, or mainnet transaction.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user requesting JSON output could approve and stake USDC without a separate confirmation prompt.
The flag described as JSON output also skips the confirmation block before approving USDC and registering; vouch.js uses the same pattern before vouch staking.
.option('--json', 'Output as JSON') ... if (!opts.json && !opts.yes) { ... console.log(' 1. Approve ${opts.stake} USDC for the registry'); ... process.exit(0); } ... functionName: 'approve'Require explicit user approval or a dedicated consent flag for every USDC approval, stake, vouch, or mainnet transaction; do not let --json imply consent.
Anyone who obtains the key file can sign as the identity and may be able to spend funds from the funded address.
The skill stores a raw private key locally and loads it into a wallet client for on-chain actions. This is disclosed and purpose-aligned, but it is high-impact credential authority.
export const KEY_FILE = path.join(CONFIG_DIR, 'key.json'); ... fs.writeFileSync(KEY_FILE, JSON.stringify(keyData, null, 2), { mode: 0o600 }); ... const account = privateKeyToAccount(keyData.privateKey);Use a fresh low-value wallet key, avoid importing a valuable existing wallet, protect ~/.agent-identity/key.json, and review any transaction before approving it.
Users may stake USDC believing the skill provides a recovery path when recovery may depend on external contract behavior not shown here.
The artifacts claim stake recoverability, but the supplied scripts and ABI do not include a deactivate or withdraw flow, so the return path is not verifiable from the reviewed skill.
- USDC stake is returned after deactivation cooldown (7 days)
Verify the deployed contract source and add clear deactivation/withdraw instructions before staking anything of value.
The code installed later may differ from the reviewed files, which matters more because this skill handles wallet keys and USDC transactions.
The install instructions fetch the repository and npm dependencies at install time without pinning a commit or lockfile in the reviewed instructions.
git clone https://github.com/g1itchbot8888-del/agent-identity.git /tmp/agent-identity-tmp ... cd "$SKILL_DIR" && npm install
Pin the Git commit, use a lockfile or audited package versions, and review the installed code before funding the generated wallet.