📦 Robot Id Card — 实用工具
v0.4.0身份认证标准 — 为 AI Agent 和机器人签发加密身份证书,让网站信任你的 bot。 内置 Ed25519 签名注册中心、命令行工具 工具、浏览器扩展和网站 开发工具包,支持分级权限控制(0-5级)、 每日签到信誉积累、公开审计日志。Universal identity standard 用于 AI bo...
0· 138·0 当前·0 累计
by 安全扫描
OpenClaw
安全
high confidenceThe package and SKILL.md are internally consistent with a bot-identity/registry project: required tools, files, and runtime instructions match the stated purpose and there are no unexplained credentials or odd install hosts, but you should still review extension and private-key handling before deploying.
评估建议
This project appears coherent for providing bot identity and verification (registry + CLI + SDK + extension). Before installing or deploying: 1) Review the browser extension/background code to ensure it does not exfiltrate private keys or inject credentials to unintended hosts; 2) Keep generated private key files (bot.key.json / bot.ric.json) protected and do not publish them; 3) If you deploy the registry, set a strong RIC_ADMIN_KEY and run it in an isolated environment (or behind proper access...详细分析 ▾
✓ 用途与能力
Name/description, declared requirements (Node >=18, npm), and included packages (registry, CLI, SDK, browser extension, dashboard) align with the stated purpose of issuing and verifying bot identity certificates. The code files implement a Fastify registry, CLI, SDK middleware and extension — all expected for this project.
ℹ 指令范围
SKILL.md sticks to the expected operations (keygen, register, claim, sign, run local registry, integrate middleware). It explicitly states private keys remain local and that the registry persists in SQLite. Caution: the browser extension and CLI write/read local key/certificate files; you should audit the extension/background logic and confirm private keys are never transmitted or read by the registry/extension in unexpected ways before use.
ℹ 安装机制
No special install spec in the skill bundle (instruction-only), and the repo recommends git clone + npm install or clawhub install. GitHub and npm (registry) are used — standard channels. Running npm install will pull third-party dependencies (package-lock.json lists many), so normal supply-chain risk applies; there are no unusual download URLs or URL shorteners in the instructions.
✓ 凭证需求
SKILL.md declares no required environment variables for normal local use. The only notable secret is an optional RIC_ADMIN_KEY for deployed admin operations (Render). That credential is proportional to running a registry admin UI and is documented as deployment-only.
ℹ 持久化与权限
The skill runs as the invoking user and persists data in repository-local paths (SQLite under packages/registry/data or /data when deployed). It does not demand elevated privileges nor set always:true. Note that keys and certificates are stored on disk; keep them protected and consider running the registry in an isolated environment for production.
⚠ packages/cli/src/index.ts:22
Environment variable access combined with network send.
⚠ packages/cli/src/index.ts:81
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install robot-id-card
镜像加速npx clawhub@latest install robot-id-card --registry https://cn.longxiaskill.com