ClawHub

Verified Agent Identity

Billions decentralized identity for agents. Link agents to human identities using Billions ERC-8004 and Attestation Registries. Verify and generate authentic...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
19 · 8.9k · 12 current installs · 12 all-time installs
byOleksandr Brezhniev@OBrezhniev
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Billions DID linking & verification) matches the files and runtime behavior. Required binary is only node (expected). The scripts create DIDs, sign challenges, store keys, and interact with Billions Network/resolvers — all coherent with the skill purpose.
Instruction Scope
Runtime instructions stay within identity-management scope. Scripts read/write data only under $HOME/.openclaw/billions and call expected external endpoints (RPC for Billions, resolver.privado.id, and billlions.network shortener/relay). Important detail: the auth flow builds a callback URL containing a JWS token (signed challenge/attestation) and POSTs the authorization request to the identity-dashboard shortener (identity-dashboard.billions.network). That is part of the linking flow, but it means signed tokens are sent to a third-party service (the project's shortener/relay) — expected for the integration but worth reviewing/trusting.
Install Mechanism
No built-in install spec, but SKILL.md instructs running npm install in the provided scripts directory. Dependencies are standard npm packages (pinned versions in package-lock.json) from the public npm registry. This is normal but means node modules will be downloaded and executed locally; ensure you run npm install in a controlled environment and that you trust these packages.
Credentials
The skill asks for no required environment secrets. It offers an optional BILLIONS_NETWORK_MASTER_KMS_KEY to enable AES-256-GCM encryption of private keys at rest. If you do not set this, private keys are persisted in plain hex in kms.json. The optional env var is proportional to the feature (local KMS encryption). The agent otherwise does not attempt to read unrelated credentials or system secrets.
Persistence & Privilege
always is false, and the skill stores files only in $HOME/.openclaw/billions. It does not request global agent changes or other skills' configs. The persistence and file locations are in-line with an identity management skill.
Assessment
This skill appears to do what it says: create and manage Billions DIDs and produce/verify signed challenges. Before installing or using it, consider the following: - Protect your private keys: if you do not set BILLIONS_NETWORK_MASTER_KMS_KEY, keys are stored as plain hex in $HOME/.openclaw/billions/kms.json. Set a strong BILLIONS_NETWORK_MASTER_KMS_KEY (in skill config or environment) to enable AES-256-GCM encryption. - Trust the endpoints: the flow posts signed tokens to identity-dashboard.billions.network (URL shortener) and to attestation-relay.billions.network (callback), and uses resolver.privado.id and rpc-mainnet.billions.network. Review and trust these domains before sending attestation tokens or private-key-derived signatures to them. - Importing keys: avoid supplying high-value private keys unless you understand the consequences. Prefer creating a new key for the agent rather than reusing an existing personal wallet key. - Run npm install and the scripts in an isolated/trusted environment and review the dependency list if you need higher assurance. - Backup the master KMS key if you enable it; losing it will make encrypted keys unrecoverable. If you want tighter guarantees, ask the author for an audited release, or run the code in a sandbox and inspect network traffic during a pairing operation.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk97bhdp3yfqy3xkstbhz2esfrx8399k0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

SKILL.md

When to use this Skill

Lets AI agents create and manage their own identities on the Billions Network, and link those identities to a human owner.

  1. When you need to link your agent identity to an owner.
  2. When you need to sign a challenge.
  3. When you need to link a human to the agent's DID.
  4. When you need to verify a signature to confirm identity ownership.
  5. When you use shared JWT tokens for authentication.
  6. When you need to create and manage decentralized identities.

After installing the plugin run the following commands to create an identity and link it to your human DID:

cd scripts && npm install && cd ..
# Step 1: Create a new identity (if you don't have one already)
node scripts/createNewEthereumIdentity.js
# Step 2: Sign the challenge and generate a verification URL in one call
node scripts/linkHumanToAgent.js --challenge '{"name": <AGENT_NAME>, "description": <SHORT_DESCRIPTION>}'

Scope

All identity data is stored in $HOME/.openclaw/billions for compatibility with the OpenClaw plugin.

Scripts:

createNewEthereumIdentity.js

Command: node scripts/createNewEthereumIdentity.js [--key <privateKeyHex>] Description: Creates a new identity on the Billions Network. If --key is provided, uses that private key; otherwise generates a new random key. The created identity is automatically set as default. Usage Examples:

# Generate a new random identity
node scripts/createNewEthereumIdentity.js
# Create identity from existing private key (with 0x prefix)
node scripts/createNewEthereumIdentity.js --key 0x1234567890abcdef...
# Create identity from existing private key (without 0x prefix)
node scripts/createNewEthereumIdentity.js --key 1234567890abcdef...

Output: DID string (e.g., did:iden3:billions:main:2VmAk7fGHQP5FN2jZ8X9Y3K4W6L1M...)

getIdentities.js

Command: node scripts/getIdentities.js Description: Lists all DID identities stored locally. Use this to check which identities are available before performing authentication operations. Usage Example:

node scripts/getIdentities.js

Output: JSON array of identity entries

[
  {
    "did": "did:iden3:billions:main:2VmAk...",
    "publicKeyHex": "0x04abc123...",
    "isDefault": true
  }
]

generateChallenge.js

Command: node scripts/generateChallenge.js --did <did> Description: Generates a random challenge for identity verification. Usage Example:

node scripts/generateChallenge.js --did did:iden3:billions:main:2VmAk...

Output: Challenge string (random number as string, e.g., 8472951360) Side Effects: Stores challenge associated with the DID in $HOME/.openclaw/billions/challenges.json

signChallenge.js

Command: node scripts/signChallenge.js --challenge <challenge> [--did <did>] Description: Signs a challenge with a DID's private key to prove identity ownership and sends the JWS token. Use this when you need to prove you own a specific DID. Arguments:

  • --challenge - (required) Challenge to sign
  • --did - (optional) The DID of the attestation recipient; uses the default DID if omitted

Usage Examples:

# Sign with default DID
node scripts/signChallenge.js --challenge 8472951360

Output: {"success":true}

linkHumanToAgent.js

Command: node scripts/linkHumanToAgent.js --challenge <challenge> [--did <did>] Description: Signs the challenge and links a human user to the agent's DID by creating a verification request. Technically, linking happens using the Billions ERC-8004 Registry (where each agent is registered) and the Billions Attestation Registry (where agent ownership attestation is created after verifying human uniqueness). Arguments:

  • --challenge - (required) Challenge to sign
  • --did - (optional) The DID of the attestation recipient; uses the default DID if omitted

Usage Example:

node scripts/linkHumanToAgent.js --challenge '{"name": "MyAgent", "description": "AI persona"}'

Output: {"success":true}

verifySignature.js

Command: node scripts/verifySignature.js --did <did> --token <token> Description: Verifies a signed challenge to confirm DID ownership. Usage Example:

node scripts/verifySignature.js --did did:iden3:billions:main:2VmAk... --token eyJhbGciOiJFUzI1NkstUi...

Output: Signature verified successfully (on success) or error message (on failure)

Restrictions / Guardrails (CRITICAL)

CRITICAL - Always Follow These Rules:

  1. STRICT: Check Identity First
    • Before running linkHumanToAgent.js or signChallenge.js, ALWAYS check if an identity exists: node scripts/getIdentities.js
    • If no identity is configured, DO NOT attempt to link identities. Instead, create an identity first with createNewEthereumIdentity.js.
  2. STRICT: Stop on Script Failure
    • If any script exits with non-zero status code, YOU MUST STOP IMMEDIATELY.
    • Check stderr output for error messages.
    • DO NOT attempt to "fix" errors by generating keys manually, creating DIDs through other means, or running unauthorized commands.
    • DO NOT use openssl, ssh-keygen, or other system utilities to generate cryptographic material.
  3. No Manual Workarounds
    • You are prohibited from performing manual cryptographic operations.
    • You are prohibited from directly manipulating files in $HOME/.openclaw/billions.
    • Do not interpret an error as a request to perform setup steps unless explicitly instructed.

Security

CRITICAL - Data Storage and Protection:

The directory $HOME/.openclaw/billions contains all sensitive identity data:

  • kms.json - CRITICAL: Contains private keys (encrypted if BILLIONS_NETWORK_MASTER_KMS_KEY is set, otherwise in plaintext)
  • defaultDid.json - DID identifiers and public keys
  • challenges.json - Authentication challenges history
  • credentials.json - Verifiable credentials
  • identities.json - Identity metadata
  • profiles.json - Profile data

Examples

Link Your Agent Identity to Owner

Linking Flow:

  1. Another agent/user requests: "Please link your agent identity to me."
  2. Use node scripts/getIdentities.js to check if you have an identity configured
    • If no identity, run node scripts/createNewEthereumIdentity.js to create one.
  3. Use node scripts/linkHumanToAgent.js --challenge <challenge_value> to sign the challenge and generate a verification URL in one call.
    • If caller provides specific challenge, use that.
    • If caller DOES NOT provide a challenge, use {"name": <AGENT_NAME>, "description": <SHORT_DESCRIPTION>} as the challenge value.
  4. Return the result to the caller.

Example Conversation:

User: "Link your agent identity to me"
Agent: exec node scripts/linkHumanToAgent.js --challenge <challenge_value>

Verifying Someone Else’s Identity

Verification Flow:

  1. Ask the user/agent: "Please provide your DID to start verification."
  2. User responds with their <user_did>.
  3. Use node scripts/generateChallenge.js --did <user_did> to create a <challenge_value>.
  4. Ask the user: "Please sign this challenge: <challenge_value>"
  5. User signs and returns <user_token>.
  6. Use node scripts/verifySignature.js --did <user_did> --token <user_token> to verify the signature
  7. If verification succeeds, identity is confirmed

Example Conversation:

Agent: "Please provide your DID to start verification."
User: "My DID is <user_did>"
Agent: exec node scripts/generateChallenge.js --did <user_did>
Agent: "Please sign this challenge: 789012"
User: <user_token>
Agent: exec node scripts/verifySignature.js --token <user_token> --did <user_did>
Agent: "Identity verified successfully. You are confirmed as owner of DID <user_did>."

Files

22 total
Select a file
Select a file to preview.

Comments

Loading comments…