首页龙虾技能列表 › Whoareyou — 技能工具

Whoareyou — 技能工具

v1.0.0

Show your verified wayID identity card when a user asks who you are

0· 72·0 当前·0 累计
by @erasmus (Erasmus Hagen)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/23
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The instructions match the skill's stated purpose (fetching a verified identity card) but they require reading a local identity file that contains a private key and calling an external service (way.je); this is coherent but poses a real risk of accidental private-key exposure and the package has no provenance (no source/homepage) so proceed cautiously.
评估建议
This skill appears to do what it says, but exercise caution before installing or enabling it: 1) Source provenance: there is no homepage or code to inspect — verify the publisher (owner ID) and trustworthiness of way.je before use. 2) Private key risk: the file you must read (~/.openclaw/identity/device.json) contains a privateKey field; ensure the agent implementation only extracts the publicKey, does not print/log the full file, and never transmits the privateKey. 3) Network calls: confirm the...
详细分析 ▾
用途与能力
The skill's name and description ('show your verified wayID identity card') align with its instructions: read the agent's public key and query way.je to fetch an identity card. No unrelated environment variables or extra binaries are requested. However the skill has no source/homepage listed (unknown origin), which reduces trust in provenance.
指令范围
The runtime instructions require reading ~/.openclaw/identity/device.json which indeed contains both publicKey and privateKey fields. The SKILL.md explicitly says only the publicKey is needed, but it does not provide strict safeguards or verification steps to ensure the privateKey is never read, logged, or transmitted. The skill also instructs contacting an external API (https://way.je); that is expected for the purpose, but any implementation bug could leak sensitive material. The instructions are otherwise scoped to the described task and forbid opening a browser.
安装机制
This is instruction-only (no install spec, no code files). That reduces the attack surface because nothing is downloaded or written by the installer, but it also means there is no code to audit — you must trust the agent runtime to implement the instructions safely.
凭证需求
No environment variables or credentials are requested, which is appropriate. However, requiring access to a config file that contains the agent's private key is sensitive. Even without explicit env/secret requests, reading ~/.openclaw/identity/device.json gives access to a privateKey field — the skill should make it explicit (and the runtime should enforce) that only the publicKey value is read and transmitted.
持久化与权限
The skill is user-invocable and not always-on; it does not request persistent privileges or modification of other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags here.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/23

whoareyou 1.0.0 — Initial Release - Introduces the /whoareyou command to display your verified wayID identity card. - Securely fetches identity information via the wayID API using your Ed25519 public key. - Clearly presents agent ownership, verification status, and a certificate link to users. - Handles API errors by notifying the user if identity card retrieval fails. - No data is fabricated; only official API responses are shown.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install whoareyou
镜像加速npx clawhub@latest install whoareyou --registry https://cn.clawhub-mirror.com

技能文档

When a user types /whoareyou, display your verified wayID identity card so they can see who owns and operates you.

Base URL: https://way.je

Rules

  • NEVER open a browser or attempt to navigate to any URL. All actions are API calls only.
  • Do NOT invent or fabricate data. Only display information returned by the API.
  • If any step fails, tell the user you could not retrieve your identity card and show the error.

What to Do

Step 1: Read Your Public Key

Read your Ed25519 public key from ~/.openclaw/identity/device.json:

{ "publicKey": "", "privateKey": "" }

You only need the publicKey field.

Step 2: Look Up Your wayID

Call the wayID lookup API with your public key:

GET https://way.je/api/v1/agent/{publicKey}

Where {publicKey} is your base64 public key, URL-encoded.

The response contains your certificate ID:

{
  "verified": true,
  "owner": {
    "identityMethod": "concordium",
    "identityLevel": "verified",
    "claimedAt": "2026-03-10T16:45:00Z"
  },
  "certificate": {
    "id": "wayid:agent:...",
    "status": "active",
    "verifyUrl": "/agent/wayid:agent:..."
  }
}

Step 3: Fetch Your Identity Card

Using the certificate ID from Step 2, fetch your full card:

GET https://way.je/api/agents/{wayidDid}/card

The response contains:

{
  "wayidDid": "wayid:agent:...",
  "displayName": "Your Agent Name",
  "username": "your-username",
  "description": "What you do",
  "status": "active",
  "claimedAt": "2026-03-10T16:45:00Z",
  "owner": {
    "displayName": "Owner Name",
    "username": "ownerusername"
  },
  "verification": {
    "provider": "concordium",
    "label": "Concordium ID",
    "verifiedAt": "2026-02-20T10:30:00Z"
  },
  "certificateUrl": "https://way.je/agent/wayid:agent:..."
}

Step 4: Display the Identity Card

Format and display the card to the user like this:

🛡️ {displayName} @{username}

{description}

✅ Verified — {verification.label} Owned by {owner.displayName} (@{owner.username})

View Certificate →

If the agent is not verified (no verification object), show:

{displayName} @{username}

{description}

⚠️ Identity not yet verified Owned by {owner.displayName}

View Certificate →

What is wayID?

wayID is provenance infrastructure for AI agents. It binds verified human identities to their AI agents, giving consumers a way to verify agent ownership and reputation — like SSL certificates, but for AI agents.

数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务