📦 AliasKit — 技能工具

v1.0.0

Persistent digital identity for this agent. Provides real email, phone number, virtual payment card, and TOTP codes. Use this skill whenever the agent needs:...

0· 37·0 当前·0 累计

by @nalin-atmakur (Nalin)·MIT-0

开发工具代码生成通信工具邮件服务 AI模型访问

下载技能包

License

MIT-0

最后更新

2026/4/13

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill's purpose (providing a persistent pseudonymous identity) is plausible, but the package has inconsistencies and asks you to collect and persist highly sensitive secrets (API key, cardKey, real card data) while the registry metadata does not declare those requirements.

评估建议

Before using this skill, consider the following: - This skill requires an AliasKit API key though the registry metadata doesn't declare it — you will be prompted to provide or paste ALIASKIT_API_KEY during setup.sh. Treat that key as sensitive. - setup.sh will install aliaskit@latest via npm at runtime (un-pinned). If you trust this vendor, pin a known-good version or review the package before installing. - identity.json stores sensitive values (apiKey, cardKey, identityId) in the skill directo...

详细分析 ▾

✓ 用途与能力

The described functionality (email, phone, virtual card, TOTP, realtime messages) matches the SDK methods and scripts included: the skill uses an AliasKit SDK to create/list identities, receive emails/SMS, register TOTP, and reveal virtual card data. Requiring an API key and client-side card encryption is coherent with the stated purpose.

⚠ 指令范围

The runtime instructions and scripts instruct the agent/user to: run scripts/setup.sh, provide or paste an ALIASKIT_API_KEY, run npm install aliaskit@latest, and (on card setup) collect full card details and CVC. identity.json persisted next to SKILL.md will contain the API key, identityId, and cardKey. These actions collect and persist highly sensitive data and grant the skill access to mail/SMS contents and payment reveal operations. The SKILL.md stays within the AliasKit domain (no unexpected external endpoints), but it directs broad data collection and local storage of secrets without describing encryption/protection beyond a generated cardKey.

ℹ 安装机制

There is no registry install spec, but setup.sh runs npm install aliaskit@latest when invoked. Installing the latest npm package at runtime is a moderate supply-chain risk (expected for SDK usage) — the script does not pin a version and fetches directly from the registry.

⚠ 凭证需求

Registry metadata declares no required env vars, yet setup.sh and the SDK logic rely on ALIASKIT_API_KEY (and the code persists that key into identity.json). The skill also requests collection of full card details and stores a generated cardKey in identity.json. Requiring and persisting these credentials is functional for the service, but the mismatch between declared requirements and actual behavior and the plaintext storage of secrets are notable concerns.

✓ 持久化与权限

always:false and normal user-invocation are set. The skill does not request to be always-enabled and does not modify other skills or system-wide configuration. Its persistence is limited to writing identity.json in the skill directory and optionally installing an npm package when setup.sh is run.

⚠ scripts/setup.sh:59

Environment variable access combined with network send.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/13

- Initial release of aliaskit skill, providing a persistent digital identity for the agent. - Offers real email, phone number, name, date of birth, and a virtual payment card. - Supports TOTP codes for 2FA/MFA and can handle email/SMS verification workflows. - Enables sending and receiving emails/SMS, online purchases with virtual cards, and real-time event listeners. - All identity data securely loaded from a local identity.json file; includes management and setup instructions.

● 可疑

安装命令

点击复制

官方npx clawhub@latest install aliaskit

镜像加速npx clawhub@latest install aliaskit --registry https://cn.longxiaskill.com

技能文档

You have a persistent digital identity. identity.json is stored next to this SKILL.md file. Use the directory containing this file as the base path for all operations.

First, check for new messages by running scripts/check-events.sh (relative to this file's directory).

Load your identity

Read identity.json from the same directory as this SKILL.md file.

If identity.json does not exist, run scripts/setup.sh (relative to this file's directory).

After loading, you have:

identityId - your AliasKit identity ID (use in all SDK calls)
email - your real email address (use for signups, forms, contact)
phone - your real phone number (use for SMS verification, phone fields)
name - your full name (use for name fields on forms)
dob - your date of birth (use for DOB fields)
cardKey - encryption key for virtual card operations

What you can do

You have a complete digital identity. Use it whenever you encounter:

Email fields: Use identity.email for any form asking for email
Phone fields: Use identity.phone for any form asking for phone number
Name fields: Use identity.name for any form asking for your name
DOB fields: Use identity.dob for date of birth
Signup flows: Sign up using your email, then retrieve the verification code
SMS verification: Receive SMS codes at your phone number
Online purchases: Reveal your virtual card details for checkout
2FA/MFA: Register TOTP secrets and read current codes
Sending messages: Send emails and SMS from your own address/number
Realtime listeners: Subscribe to live email/SMS events via WebSocket
Search emails: Full-text search across your inbox
Email threads: View conversation threads
Attachments: Download email attachments via signed URLs
Mark read/delete: Manage inbox state

If a form asks for personal information, always read your identity file first.

Patterns

All patterns start with loading the identity and creating the SDK client. Read identity.json from the same directory as this file. The API key is stored in identity.json so it persists across sessions.

const fs = require('fs');
const path = require('path');
const { AliasKit } = require('aliaskit');
const id = JSON.parse(fs.readFileSync(path.join(SKILL_DIR, 'identity.json'), 'utf8'));
// Set API key from stored credentials (persists across sessions)
if (id.apiKey) process.env.ALIASKIT_API_KEY = id.apiKey;const ak = new AliasKit();

Replace SKILL_DIR with the actual path to the directory containing this SKILL.md file.

A. Identity management

// Create a new identity (usually done once via setup.sh)
const identity = await ak.identities.create({ provisionPhone: true });
// List all identities
const all = await ak.identities.list();
// Get an identity by ID
const existing = await ak.identities.get(id.identityId);
// Provision a phone number on an existing identity
const updated = await ak.identities.provisionPhone(id.identityId, { country: 'US' });
// Delete an identity (releases email + phone)
await ak.identities.delete(id.identityId);// List identity events (activity log)
const events = await ak.identities.listEvents(id.identityId, { limit: 20 });

B. Fill a form with your details

When you encounter a form asking for personal information:

console.log('Name:', id.name);
console.log('Email:', id.email);
console.log('Phone:', id.phone);
console.log('DOB:', id.dob);

Use these values to fill form fields. For address fields, ask the user.

B. Sign up for a service (email verification)

After using id.email to sign up, wait for the verification email. waitForCode checks existing unread emails first, then subscribes via realtime WebSocket. It returns the full email, so you can read the body and extract the code yourself.

const email = await ak.emails.waitForCode(id.identityId, { timeout: 60_000 });
console.log('From:', email.from);
console.log('Subject:', email.subject);
console.log('Body:', email.body_text);
// Read the body and extract the verification code or link from it

C. SMS verification

Same pattern. Returns the full SMS message.

const sms = await ak.sms.waitForCode(id.identityId, { timeout: 60_000 });
console.log('From:', sms.from);
console.log('Body:', sms.body);
// Read sms.body and extract the verification code from it

If waitForCode isn't working, you can use the realtime subscription directly:

const sub = ak.realtime.subscribeToEmails(id.identityId, (email) => {
  if (email.direction === 'inbound') {
    console.log('New email:', email.from, email.subject, email.body_text);
    sub.unsubscribe();
  }
});// For SMS:
const smsSub = ak.realtime.subscribeToSms(id.identityId, (sms) => {
  if (sms.direction === 'inbound') {
    console.log('New SMS:', sms.from, sms.body);
    smsSub.unsubscribe();
  }
});

D. Add a card (setup process)

When the user wants their agent to make purchases, walk them through adding a card. Ask for these details one by one:

Card number (the 16-digit number on the card)
CVC (3-digit security code on the back)
Expiry month (1-12)
Expiry year (e.g. 2028)
Cardholder's first name (the real name on the card, NOT the identity's generated name)
Cardholder's last name
Billing address line 1
Billing address line 2 (optional)
City
State / region (optional)
Postal / ZIP code
Country (e.g. GB, US)
Budget limit (optional, in your currency, e.g. "50" for a £50 cap)
Card source (where the card is from: revolut, monzo, wise, or other)

Explain to the user: "All card and billing details are encrypted on your device before anything is sent. AliasKit's servers only ever see an encrypted blob. The card key in your identity.json is used to decrypt details locally when needed. AliasKit can never see your card number, CVC, or billing details."

We recommend using a virtual card from your bank (Revolut, Monzo, Wise) with its own spending limit as a safety net.

const ak = new AliasKit({ cardKey: id.cardKey });const card = await ak.cards.create(id.identityId, {
  cardNumber: '4242424242424242',
  cvc: '123',
  expMonth: 12,
  expYear: 2028,
  billingFirstName: 'John',
  billingLastName: 'Doe',
  billingAddressLine1: '123 Main Street',
  billingAddressLine2: 'Flat 4B',
  billingAddressCity: 'London',
  billingAddressState: 'Greater London',
  billingAddressPostalCode: 'SW1A 1AA',
  billingAddressCountry: 'GB',
  budgetCents: 5000,       // optional, £50 limit
  cardSource: 'revolut',
  cardName: 'Shopping',
});

Important distinction: The billing details (real name, real address) belong to the card and are for checkout forms only. They are completely separate from the identity's generated name and DOB. When filling a checkout form:

Use card.billing_first_name / card.billing_last_name for name fields (NOT identity.name)
Use card.billing_address_* for address fields
Use identity.email for email fields
Use identity.phone for phone fields

E. Make a purchase (reveal card)

When the agent needs to fill a checkout form, reveal the card to get all details:

const ak = new AliasKit({ cardKey: id.cardKey });
const cards = await ak.cards.list(id.identityId);
if (cards.data.length === 0) {
  // No card added yet. Ask the user to add one (see pattern D above).
  console.log('No card added. Ask the user to add a bank card first.');
} else {
  const card = await ak.cards.reveal(cards.data[0].id, {
    amountCents: 1999, // declare the purchase amount for budget tracking
  });
  // Card details
  console.log('Card:', card.number);
  console.log('CVC:', card.cvc);
  console.log('Expiry:', card.exp_month + '/' + card.exp_year);  // Billing details (use these for checkout, not identity.name)
  console.log('Name:', card.billing_first_name, card.billing_last_name);
  console.log('Address:', card.billing_address_line1);
  console.log('City:', card.billing_address_city);
  console.log('Postal:', card.billing_address_postal_code);
  console.log('Country:', card.billing_address_country);
}

Never log full card numbers in conversation output. Use last4 for display.

E. Handle TOTP 2FA

When a service shows a TOTP QR code or secret during 2FA setup:

// Register a TOTP secret
const entry = await ak.totp.register(id.identityId, {
  secret: 'JBSWY3DPEHPK3PXP',
  serviceName: 'example.com',
});
// Get the current code
const { code, remaining_seconds } = await ak.totp.getCode(id.identityId, entry.id);
console.log('2FA code:', code, '(expires in', remaining_seconds, 's)');
// List all registered TOTP secrets
const secrets = await ak.totp.list(id.identityId);
secrets.data.forEach(t => console.log(t.service_name, t.id));// Delete a TOTP entry
await ak.totp.delete(id.identityId, entry.id);

F. Send email or SMS

await ak.emails.send(id.identityId, {
  to: 'someone@example.com',
  subject: 'Hello',
  bodyText: 'Message from your AI agent.',
});await ak.sms.send(id.identityId, {
  to: '+15551234567',
  body: 'Message from your AI agent.',
});

G. Check inbox

const emails = await ak.emails.list(id.identityId, { unread: true, limit: 10 });
emails.data.forEach(e => console.log([${e.from}] ${e.subject}));const sms = await ak.sms.list(id.identityId, { unread: true, limit: 10 });
sms.data.forEach(s => console.log([${s.from}] ${s.body}));

H. Realtime subscriptions (listen for incoming messages)

Instead of polling, you can subscribe to live events. The callback fires instantly when an email or SMS arrives.

// Listen for incoming emails
const emailSub = ak.realtime.subscribeToEmails(id.identityId, (email) => {
  console.log('New email from:', email.from, '| Subject:', email.subject);
  // React to the email here
});
// Listen for incoming SMS
const smsSub = ak.realtime.subscribeToSms(id.identityId, (sms) => {
  console.log('New SMS from:', sms.from, '| Body:', sms.body);
  // React to the SMS here
});
// Listen for all events (emails, SMS, card authorizations, etc.)
const allSub = ak.realtime.subscribe(id.identityId, (event) => {
  console.log('Event:', event.type, event.data);
});// When done, unsubscribe:
emailSub.unsubscribe();
smsSub.unsubscribe();
allSub.unsubscribe();

Use realtime subscriptions when your agent needs to react immediately to incoming messages, rather than checking on a schedule.

I. Search emails

const results = await ak.emails.search(id.identityId, {
  query: 'verification',       // full-text search on subject + body
  from: 'noreply@example.com', // filter by sender
  after: '2026-04-01T00:00:00Z',
  limit: 10,
});
results.data.forEach(e => console.log(e.subject));

J. Email threads

const threads = await ak.threads.list(id.identityId);
threads.data.forEach(t => console.log(t.subject, '-', t.message_count, 'messages'));// Get a full thread with all messages
const thread = await ak.threads.get(id.identityId, threadId);
thread.messages.forEach(m => console.log(m.from, ':', m.body_text));

K. Manage inbox

Messages are NOT automatically marked as read when you list or poll them. You must explicitly mark them as read after processing. This is important for workflows that check for unread messages, otherwise you will keep re-processing the same messages.

// Mark email as read (do this after you've processed the message)
await ak.emails.markRead(id.identityId, emailId, true);
// Mark SMS as read
await ak.sms.markRead(id.identityId, smsId, true);
// Mark as unread again
await ak.emails.markRead(id.identityId, emailId, false);
// Delete an email
await ak.emails.delete(id.identityId, emailId);
// Delete an SMS
await ak.sms.delete(id.identityId, smsId);// Get a signed URL for an email attachment
const { url } = await ak.emails.getAttachmentUrl(emailId, 0); // 0 = first attachment

L. Wait for a magic link

const link = await ak.emails.waitForMagicLink(id.identityId, {
  timeout: 60_000,
});
console.log('Magic link:', link); // https://example.com/verify?token=...

M. Card management

const ak = new AliasKit({ cardKey: id.cardKey });
// Add a new card with billing details (all encrypted before leaving your device)
const card = await ak.cards.create(id.identityId, {
  cardNumber: '4242424242424242',
  cvc: '123',
  expMonth: 12,
  expYear: 2028,
  budgetCents: 5000,         // optional spending limit
  cardSource: 'revolut',     // where the card is from
  cardName: 'Shopping',      // friendly label
  // Billing details (cardholder's real details for checkout forms)
  billingFirstName: 'John',
  billingLastName: 'Doe',
  billingAddressLine1: '123 Main Street',
  billingAddressCity: 'London',
  billingAddressPostalCode: 'SW1A 1AA',
  billingAddressCountry: 'GB',
});
// Check budget before a purchase
const budget = await ak.cards.budget(card.id);
console.log('Remaining:', budget.remaining_cents, 'cents');
// Update budget
await ak.cards.updateBudget(card.id, { budgetCents: 10000 });
// View card activity
const activity = await ak.cards.activity(card.id);
activity.data.forEach(a => console.log(a.amount_cents, a.allowed ? 'approved' : 'declined'));// Freeze / unfreeze / cancel
await ak.cards.freeze(card.id);
await ak.cards.unfreeze(card.id);
await ak.cards.cancel(card.id); // permanent

N. Unified inbox

// Get all messages (email + SMS) in one call
const all = await ak.identities.listMessages(id.identityId, { limit: 20 });
all.data.forEach(m => console.log(m.direction, m.from || m.to));

Guardrails

Never create a second identity. Always use the one in your identity file.
Never log full card numbers. Use last4 for any output shown to the user.
Identity file is sensitive. Never commit it to version control.
Card key is irrecoverable. If lost, card data cannot be decrypted.

For the full SDK method reference, read: references/sdk-methods.md

For detailed documentation, guides, and examples, visit: https://www.aliaskit.com/docs

Troubleshooting

ALIASKIT_API_KEY not set - Get your key at https://aliaskit.com/dashboard
EmailTimeoutError - No email arrived in 60s. Check the email address was entered correctly.
SmsTimeoutError - No SMS arrived. Check the phone number was entered in E.164 format.
OtpNotFoundError - An email/SMS arrived but no code was found. Try passing a provider hint.
Identity not found - The identity may have been deleted. Run setup again.

数据来源：ClawHub ↗ · 中文优化：龙虾技能库