Skillv1.6.0

ClawScan security

Aip Identity · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 14, 2026, 8:51 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its description says (identity, signing, encrypted messaging) but there are multiple mismatches and a few surprising behaviors (credential file lookup paths, doc/code inconsistencies, potential to read/overwrite local credential files) that deserve scrutiny before installing.
Guidance: Before installing or running this skill: 1) Verify the service and source links (https://aip-service.fly.dev and the GitHub/PyPI project) independently — the SKILL.md claims a PyPI package and GitHub repo that you should confirm match the code you received. 2) Be aware the tool will create a local JSON containing your private key (aip_credentials.json by default) and may overwrite that file in the current directory; store and secure backups and set restrictive file permissions. 3) The script will look for existing credentials in several paths including ~/.openclaw/... which could read unrelated workspace credentials — if you have sensitive files there, avoid running the script or move them first. 4) Prefer the --secure registration path (generating keys locally) and avoid the deprecated /register/easy mode that returns server-generated private keys. 5) If you plan to use this in an automated agent, consider the external AIP service URL: set AIP_SERVICE_URL to a host you trust, or audit the server behavior; the code will communicate with that external endpoint for registration, vouching, messaging, and signature publishing. 6) The docs and code have minor inconsistencies (env var, version); if you need high assurance, request the canonical source repository or a signed release and review the full script in that repository before trusting the skill.

Review Dimensions

Purpose & Capability: noteThe declared purpose (agent identity, signing, encrypted messaging, vouching) matches the included code and API docs: the script implements registration, signing, vouching, messaging, key rotation, and talks to an external AIP service. However there are small mismatches: SKILL.md claims an AIP_CREDENTIALS_PATH env var for customizing credential storage which the included script does not actually read, and the SKILL.md/PyPI version string (v0.5.21) doesn't match the registry metadata (v1.6.0). These doc/code inconsistencies reduce confidence in maintenance but do not by themselves indicate malicious intent.
Instruction Scope: concernThe runtime instructions and the script instruct reading and writing a local credentials JSON (private key stored unencrypted) and contacting the external service at https://aip-service.fly.dev. The script's credential lookup (_find_creds_file) searches several locations including ~/.openclaw/workspace/credentials which could allow the skill to read credentials placed for other agent tooling; that path is unrelated to the stated purpose and is surprising. The script will also write aip_credentials.json into the working directory (potentially overwriting). The SKILL.md suggests an env var for custom credential path that is not implemented, which is inconsistent with the code's actual lookup behavior.
Install Mechanism: noteThere is no install spec included (instruction-only with one script). SKILL.md advertises a PyPI package and a CLI ('pip install aip-identity' → 'aip'), but the skill bundle contains only scripts/aip.py and no packaged installer; the PyPI claim should be verified independently. No external download URLs are embedded in the install metadata itself (low install mechanism risk), but running the script will contact the external AIP service.
Credentials: concernThe skill requests no declared environment variables, but the script honors AIP_SERVICE_URL for the API base (reasonable) and searches for credential files in multiple locations including an .openclaw workspace path. Looking into another workspace's credential locations is disproportionate for a local identity CLI and could cause accidental access to other tooling's files. The script writes a local JSON containing the private key (expected for key storage) and will overwrite the output file without prompting. SKILL.md mentions AIP_CREDENTIALS_PATH to control location, but the script does not read that env var — a mismatch that affects how credentials are chosen and stored.
Persistence & Privilege: okThe skill does not request always: true, does not alter other skills, and has no install routine that persists itself system-wide. It does persist private keys to disk (a normal behavior for identity tools) and may overwrite aip_credentials.json in the working directory; this file persistence is expected for key management but is something you must manage carefully (backup, secure permissions).