ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

whoami

v1.0.2

Cross-AI user identity profile sync service. When you need user's background, preferences, or personal context to better execute a task, invoke this skill to...

0· 386·1 current·1 all-time
byMorvan@morvanzhou
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (user identity profile sync) align with the included script and SKILL.md: the skill reads/writes a Markdown profile to a remote service and stores a local config at ~/.whoamiagent. No unrelated binaries or credentials are requested in the files.
Instruction Scope
SKILL.md and the script instruct the agent to auto-open a browser for login and to curl a user-provided one-time configuration URL and save its contents directly to ~/.whoamiagent. The agent is instructed to upload profile content to the remote API (POST /api/profile). These behaviors are coherent with the stated purpose but carry privacy risk: user profile data (potentially sensitive) will be transmitted to an external service, and the agent is told to write a config file fetched from an external URL without local validation.
Install Mechanism
No install spec and no external binary downloads — the skill is instruction+script only. Execution uses the system python3 interpreter, which is proportionate to the task.
!
Credentials
The runtime requires an API key stored in ~/.whoamiagent (WHOAMI_API_KEY), but the registry metadata lists no primary credential or required env vars — a mismatch. The script also respects WHOAMI_ENDPOINT and WHOAMI_FRONTEND_URL environment variables (which can redirect traffic to arbitrary hosts), but these are not declared in metadata. The skill will transmit user profile content to an external endpoint, so requiring and documenting the API credential in the registry would be expected but is missing.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It writes/reads a config file in the user's home (~/.whoamiagent) and may delete temp files created during updates; this behavior is consistent with its functionality.
What to consider before installing
Before installing or enabling this skill, consider: 1) The skill stores and uploads a personal profile to a remote service (default https://whoamiagent.com). Only use it if you trust that service and its privacy policy. 2) The skill requires an API key saved to ~/.whoamiagent (WHOAMI_API_KEY), but the registry metadata did not declare this credential — verify where that config comes from and inspect it before running. 3) The SKILL.md instructs using curl to download a one-time config URL and save it directly to your home config file; do not run those commands if you cannot verify the URL/source. 4) Environment variables (WHOAMI_ENDPOINT, WHOAMI_FRONTEND_URL) can redirect the skill to arbitrary endpoints — ensure these are unset or point to trusted hosts. 5) Avoid putting secrets or very sensitive personal data in the profile; the skill will POST profile content to a third-party API. 6) If you still want to try it, run the script in a controlled environment first (inspect ~/.whoamiagent after setup, test against a non-production endpoint, or sandbox it). If you want a safer alternative, request the skill author to add explicit registry metadata listing the required API key and to include an option to preview/validate any downloaded config before writing it to disk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cn4601hmfd0rqp3meecc2rn826w6y
386downloads
0stars
3versions
Updated 3h ago
v1.0.2
MIT-0
Morvan@morvanzhou
latest
Download

whoami — User Identity Profile Management

Overview

whoami enables AI Agents to automatically recognize user identity during conversations. Through a remotely stored profile, any AI can quickly "know you" on first interaction without requiring repeated introductions.

Core capabilities:

  • Read user profile from remote and inject into conversation context
  • Save/update user identity information to remote
  • Execute subsequent tasks (calling other skills, writing code, etc.) based on user preferences
  • Share the same user profile across AI tools

Workflow Decision Tree

User initiates conversation
    │
    ├─ Is ~/.whoamiagent configured?
    │   ├─ YES → Run `get` to read remote profile → Inject into context → Continue with task
    │   └─ NO  → Script auto-opens browser login page → Agent tells user to log in and get one-time URL → **Agent STOPS and WAITS for user to provide one-time URL** → Agent downloads and saves to ~/.whoamiagent
    │
    ├─ User requests to update info?
    │   └─ YES → Organize into Markdown → Write to temp file → Run `update --file` to write to remote → Confirm success
    │
    └─ User asks "do you know me?"
        └─ Run `get` → Display profile summary

1. Configure API Key (First Use)

If not yet configured, simply running get or setup will auto-open the browser login page. After logging in, the user generates a one-time configuration URL on the Dashboard.

The Dashboard provides a one-time URL (e.g., https://whoamiagent.com/api/storeapi?token=<token>) that contains the API configuration. To set up, download this URL and save its content directly to ~/.whoamiagent:

curl -s "https://whoamiagent.com/api/storeapi?token=<token>" > ~/.whoamiagent
chmod 600 ~/.whoamiagent

Config file is saved at ~/.whoamiagent with the necessary credentials securely configured.

2. Get User Profile

When you need to understand the user's identity, run the script to fetch the remote profile:

python3 <skill-dir>/scripts/whoami_profile.py get
  • If a remote profile exists, the script outputs Markdown content
  • If no remote profile exists, the script outputs a prompt; guide the user to create one

After loading the profile, use its content as context to understand the user, then continue executing the user's actual task.

3. Update User Profile

When the user provides new personal information, overwrite-update to remote.

Recommended: Write content to a temp file first, then use --file flag (avoids shell argument length limits and special character issues):

# Step 1: Agent writes the full profile Markdown to a temp file
#         (use write_to_file or echo/cat to create the file)
# Step 2: Run update with --file
python3 <skill-dir>/scripts/whoami_profile.py update --file /tmp/whoami_profile_tmp.md

The script reads the file content, uploads it, and automatically deletes the temp file after reading.

Alternative (for short content only):

python3 <skill-dir>/scripts/whoami_profile.py update "Short profile content"

Note: update is an overwrite operation. Always pass the complete profile content. The remote automatically retains the last 3 historical versions.

Length limit: Profile content must not exceed 5000 characters (~2000 Chinese characters or ~2000 English words). The API will return an error if exceeded. Keep the profile concise and within this limit when generating.

Profile format spec: See <skill-dir>/references/profile_format.md

4. View Profile Metadata

python3 <skill-dir>/scripts/whoami_profile.py info

Outputs profile metadata such as character count and line count.

Examples

Example 1: Auto-load at conversation start

User says: "Help me write a Python script to process CSV"

Agent behavior:

  1. Run whoami_profile.py get to fetch user profile
  2. Learn user preferences from profile (e.g., "prefers concise code style", "uses pandas")
  3. Generate code matching the user's style

Example 2: User saves info proactively

User says: "Remember that I'm Mofan, an indie developer skilled in Python and ML"

Agent behavior:

  1. Run whoami_profile.py get to fetch existing profile
  2. Merge new info into existing profile, organize into complete Markdown
  3. Write the complete profile to a temp file (e.g., /tmp/whoami_profile_tmp.md)
  4. Run whoami_profile.py update --file /tmp/whoami_profile_tmp.md to overwrite-update
  5. Confirm save success

Example 3: First-time setup

User says: "Do you know me?"

Agent behavior:

  1. Run whoami_profile.py get
  2. If API Key is not configured, the script auto-opens the browser login page. Agent MUST:
    • Tell the user: "I've opened the login page in your browser. Please log in and generate a one-time configuration URL on the Dashboard."
    • STOP here and wait for the user to reply with the one-time configuration URL.
    • Download the URL and save to ~/.whoamiagent: curl -s "<provided-url>" > ~/.whoamiagent && chmod 600 ~/.whoamiagent
    • Then run whoami_profile.py get again to fetch the profile
  3. If already configured, display profile summary

Important Notes

  1. Config file path is ~/.whoamiagent (cross-platform: macOS/Linux/Windows), shared by all AI tools
  2. Profile uses Markdown format, readable by both humans and AI
  3. After loading profile, you must continue executing the user's actual task — do not stop at the loading step
  4. update is an overwrite operation — always pass complete content; remote retains 3 history versions
  5. Profile max 5000 characters — keep it concise, avoid redundant descriptions
  6. <skill-dir> refers to the directory path where this SKILL.md is located
  7. Script uses only Python standard library, zero third-party dependencies
  8. When API Key is not configured, use the one-time URL approach — Agent receives one-time URL from user, downloads it directly to ~/.whoamiagent, never handles API Key directly

Comments

Loading comments...