Sovereign Identity

What to check before installing or running this skill: - Metadata mismatch: The registry metadata claims no required env vars, but skill.json/README and the scripts require CLAW_PASSWORD and expect AGENT_DID / AGENT_ENCRYPTED_KEY. Treat the skill as requiring a secret password and local encrypted key storage until the author clarifies this. - Inspect .env.agent and file permissions: onboarding writes an encrypted private key to .env.agent in the repo root. Ensure this file is truly gitignored, has restrictive filesystem permissions, and that you are comfortable storing the encrypted key locally. - Verify guardrail enforcement: SKILL.md promises identity_check and strict guardrails. Those appear as a standalone guardrail.ts script but are not wired into a runtime enforcement layer. Do not assume the skill will automatically run these checks for every outgoing call; the behavior depends on how the agent host integrates the scripts. - Run tests offline in a sandbox: Run the e2e/test scripts locally in an isolated environment (no network) to confirm behavior, and verify the CLI scripts only perform local crypto and file writes. - Confirm no network exfiltration: The codebase contains no explicit network calls, but verify you trust the repository owner and review package.json/respository pointers. If you cannot review the code, avoid providing CLAW_PASSWORD or running scripts on production systems. - Ask the author to fix documentation gaps: Require the skill author to update registry metadata to list CLAW_PASSWORD and document AGENT_* env usage, and to either implement identity_check as a callable automatic guard or document how the agent host must call guardrail.ts before external interactions. If you need to use this skill but are not comfortable auditing code, prefer running it in a tightly sandboxed environment and only after confirming the file outputs and behavior match your expectations.