📦 Verified Agent Identity — 实用工具
v0.1.0用于 agents. Link agents human identities 使用 Billions ERC-8004 和 Attestation Registries. Verify 和 生成 authentic...
0· 256·0 当前·0 累计
by @devkonten 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and instructions largely match an identity-management purpose, but there are cohesion issues (undeclared environment usage, missing npm requirement, and local private-key handling) that warrant caution before installing.
评估建议
What to check before installing:
- Expect the skill to create and store private keys and DID state at $HOME/.openclaw/billions. If you do not want keys on disk, do not install.
- By default keys are stored in plaintext unless you set BILLIONS_NETWORK_MASTER_KMS_KEY. If you plan to use this skill, set BILLIONS_NETWORK_MASTER_KMS_KEY to a strong secret (and back it up) to enable AES-256-GCM encryption of keys.
- The SKILL.md instructs running 'npm install' but the registry metadata does not list '...详细分析 ▾
✓ 用途与能力
Name/description (decentralized DID management on Billions Network) aligns with the included scripts: DID creation, challenge generation/signing, linking humans to agent DIDs, and signature verification. Network endpoints and libraries used (iden3, polygonid, ethers) are consistent with the stated purpose.
ℹ 指令范围
SKILL.md instructs running the included Node scripts (npm install then node scripts/...). The runtime steps read/write identity material under $HOME/.openclaw/billions and perform network calls to Billions/Privado services. The README also forbids manual cryptographic workarounds. This scope is appropriate for an identity skill, but the SKILL metadata omitted 'npm' even though instructions require running 'npm install'.
ℹ 安装机制
There is no formal install spec in the registry entry (instruction-only), yet the package includes a scripts/ package.json and package-lock.json and the runtime instructions call 'npm install'. Dependencies are pulled from npm (well-known packages). This is moderate-risk but expected for Node-based tooling; absence of an explicit install spec in the registry is an inconsistency users should notice.
⚠ 凭证需求
The code reads an optional master key environment variable (BILLIONS_NETWORK_MASTER_KMS_KEY) to enable AES-256-GCM encryption of private keys, but the registry metadata did not declare any required environment variables. Keys are persisted to $HOME/.openclaw/billions/kms.json and, if the master key is not set, they are stored as plain hex. The use of a sensitive env var (master KMS key) is reasonable for this skill, but it should be declared explicitly and users must understand the plaintext fallback behavior.
✓ 持久化与权限
The skill persists keys and identity files to $HOME/.openclaw/billions (documented in README/SKILL.md). It does not request 'always: true' or system-wide config modifications. File writes are expected for an identity management skill, but this is persistent sensitive data and should be accepted intentionally by the user.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install verified-agent-identity-4
镜像加速npx clawhub@latest install verified-agent-identity-4 --registry https://cn.longxiaskill.com