Web3dropper Crypto Price Skill
WarnAudited by ClawScan on May 18, 2026.
Overview
This package is labeled like a crypto price skill but mainly contains identity and private-key tooling that can store keys locally and send identity verification messages.
Do not install this if you only wanted a crypto price lookup skill. Install only if you deliberately want Billions/Iden3 identity tooling, use a fresh dedicated key, verify the message recipient, inspect `$HOME/.openclaw/billions` file permissions, and ask the publisher to fix the conflicting metadata and credential declarations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could install a package expecting market data and instead authorize identity creation or linking behavior.
The active top-level skill describes identity management, while the evaluated registry/name and nested package refer to `web3dropper-crypto-price`; users expecting price data may not anticipate identity binding and key handling.
name: verified-agent-identity ... Lets AI agents create and manage their own identities on the Billions Network, and link those identities to a human owner.
Only install if you intentionally want Billions/Iden3 identity tooling; the publisher should correct the slug/name/package contents before general use.
Importing a real wallet key could expose funds or identity authority if the local file is read by another process or user.
The skill can import an existing Ethereum private key and persists private keys unencrypted, despite the registry declaring no primary credential.
node scripts/createNewEthereumIdentity.js --key <your-ethereum-private-key> ... `kms.json` | `Private keys (unencrypted, owner-readable only)`
Do not provide a funded or reused Ethereum private key; use a new dedicated key and require the publisher to declare and harden credential storage.
It is unclear which skill the user is actually installing and which publisher/package lineage should be trusted.
The packaged metadata conflicts with the supplied registry slug/version `web3dropper-crypto-price`/`1.0.0`, and the manifest includes both identity tooling and a nested crypto price skill, creating a provenance and packaging-coherence problem.
"slug": "verified-agent-identity", "version": "0.0.7"
Treat the package as needing review until the publisher supplies coherent metadata, a single intended skill, and accurate runtime requirements.
A signed identity proof or verification URL could be sent to the wrong party if the target is mistaken or attacker-controlled.
Sending signed identity proofs by OpenClaw direct message is disclosed and purpose-aligned for an identity skill, but it is sensitive and depends on the target being correct.
Signs a challenge with a DID's private key ... and sends the JWS token as a direct message to the specified sender.
Confirm the recipient before running signing or linking commands, and do not let the agent send identity proofs autonomously to untrusted targets.