Verified Agent Identity
v1.0.4Billions decentralized identity for agents. Link agents to human identities using Billions ERC-8004 and Attestation Registries. Verify and generate authentic...
⭐ 26· 12.5k·16 current·17 all-time
byOleksandr Brezhniev@obrezhniev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Billions DID linking & verification) matches the files and runtime behavior. Required binary is only node (expected). The scripts create DIDs, sign challenges, store keys, and interact with Billions Network/resolvers — all coherent with the skill purpose.
Instruction Scope
Runtime instructions stay within identity-management scope. Scripts read/write data only under $HOME/.openclaw/billions and call expected external endpoints (RPC for Billions, resolver.privado.id, and billlions.network shortener/relay). Important detail: the auth flow builds a callback URL containing a JWS token (signed challenge/attestation) and POSTs the authorization request to the identity-dashboard shortener (identity-dashboard.billions.network). That is part of the linking flow, but it means signed tokens are sent to a third-party service (the project's shortener/relay) — expected for the integration but worth reviewing/trusting.
Install Mechanism
No built-in install spec, but SKILL.md instructs running npm install in the provided scripts directory. Dependencies are standard npm packages (pinned versions in package-lock.json) from the public npm registry. This is normal but means node modules will be downloaded and executed locally; ensure you run npm install in a controlled environment and that you trust these packages.
Credentials
The skill asks for no required environment secrets. It offers an optional BILLIONS_NETWORK_MASTER_KMS_KEY to enable AES-256-GCM encryption of private keys at rest. If you do not set this, private keys are persisted in plain hex in kms.json. The optional env var is proportional to the feature (local KMS encryption). The agent otherwise does not attempt to read unrelated credentials or system secrets.
Persistence & Privilege
always is false, and the skill stores files only in $HOME/.openclaw/billions. It does not request global agent changes or other skills' configs. The persistence and file locations are in-line with an identity management skill.
Assessment
This skill appears to do what it says: create and manage Billions DIDs and produce/verify signed challenges. Before installing or using it, consider the following:
- Protect your private keys: if you do not set BILLIONS_NETWORK_MASTER_KMS_KEY, keys are stored as plain hex in $HOME/.openclaw/billions/kms.json. Set a strong BILLIONS_NETWORK_MASTER_KMS_KEY (in skill config or environment) to enable AES-256-GCM encryption.
- Trust the endpoints: the flow posts signed tokens to identity-dashboard.billions.network (URL shortener) and to attestation-relay.billions.network (callback), and uses resolver.privado.id and rpc-mainnet.billions.network. Review and trust these domains before sending attestation tokens or private-key-derived signatures to them.
- Importing keys: avoid supplying high-value private keys unless you understand the consequences. Prefer creating a new key for the agent rather than reusing an existing personal wallet key.
- Run npm install and the scripts in an isolated/trusted environment and review the dependency list if you need higher assurance.
- Backup the master KMS key if you enable it; losing it will make encrypted keys unrecoverable.
If you want tighter guarantees, ask the author for an audited release, or run the code in a sandbox and inspect network traffic during a pairing operation.Like a lobster shell, security has layers — review code before you run it.
latestvk97bhdp3yfqy3xkstbhz2esfrx8399k0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode