Back to skill
Skillv1.0.0
ClawScan security
Identity Trust · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 7, 2026, 10:51 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated DID/VC functionality is coherent, but the package advertises concrete CLI/programmatic tools while providing no code or install spec in the registry — it instructs the user/agent to install a third‑party npm/GitHub package and to store private keys on disk, which is sensible for the purpose but introduces installation and local key handling risks that aren't represented in the registry metadata.
- Guidance
- This skill describes a legitimate DID/Verifiable Credentials toolset, but the registry package contains only instructions — the actual implementation is an external npm/GitHub package (openclaw-identity-trust). Before installing or letting an agent run these commands: 1) Inspect the npm package and the GitHub repository (owner, recent commits, open issues, README, license) to ensure you trust the author. 2) Review the package code (especially code that writes keys.json/keys handling and any network calls). 3) Avoid global npm installs on a production machine; prefer installing in an isolated environment (container/VM) and verify package integrity (checksums). 4) Treat the local storage path (~/.openclaw/identity/) as sensitive: ensure keys are encrypted, use secure file permissions, and back up/rotate keys per best practices. 5) If you do not want the agent to autonomously install/run third‑party code, do not grant it permission to execute shell/npm commands — run the audit and installation manually. If you want me to, I can fetch and summarize the GitHub repo and npm package metadata (owner, versions, recent activity) to help you decide.
Review Dimensions
- Purpose & Capability
- noteThe name and description match the SKILL.md content (DID and Verifiable Credentials). However the SKILL.md advertises 6 runnable tools and a Node.js library while the registry contains no code or install spec — meaning the skill as published is instruction-only and relies on an external npm/GitHub package (openclaw-identity-trust) to provide the actual functionality. That mismatch is an incoherence (not necessarily malicious) the user should understand.
- Instruction Scope
- concernThe instructions explicitly tell users/agents to install and run an external npm package or clone a GitHub repo, resolve DIDs potentially over the network (did:web), and read/write cryptographic material to ~/.openclaw/identity/ (dids.json, credentials.json, keys.json). Those file path operations and optional network calls are relevant to DID/VC tasks but are sensitive: private keys will be written to disk and network resolution may contact external endpoints. The SKILL.md also contains AUTO-TRIGGER rules for agent invocation — fine, but the runtime actions implied (installing and executing third-party code, file I/O, network access) are not captured in registry requirements.
- Install Mechanism
- concernThe registry exposes no install spec, but SKILL.md recommends installing via npm (-g) or cloning a GitHub repo. Installing an npm package or code from GitHub runs third-party code on the user's machine and can execute arbitrary actions. While npm and GitHub are common sources, the registry's lack of bundled code or an explicit verified install spec means the skill depends on an external package that should be audited before installation.
- Credentials
- noteThe skill declares no required environment variables, which matches the registry. SKILL.md mentions optional env vars (OPENCLAW_IDENTITY_PATH, OPENCLAW_IDENTITY_NETWORK_ENABLED) appropriate for customizing storage and network behavior. The main sensitivity is local private key storage (keys.json). No unrelated credentials are requested in metadata, which is proportionate, but storing private keys locally is inherently high-value and should be handled carefully.
- Persistence & Privilege
- okalways is false and there are no declared persistent privileges. The skill does instruct storing data under ~/.openclaw/identity/ but does not claim to modify other skills or system-wide configs. Autonomous invocation is allowed by default — combine that with other flags (if you plan to allow the agent to run installation commands) and consider restricting execution if you don't trust the external package.