verified-agent-identity Security Report — Trusted | ClawSafe

5 /100

verified-agent-identity

Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify.

This is a legitimate Billions Network identity management skill with well-documented capabilities, proper input validation, and standard cryptographic implementations using audited libraries.

Skill Nameverified-agent-identity

Duration50.0s

Enginepi

✓

Safe to install

This skill is safe to use. No action required. The private key storage in plaintext is necessary for identity management functionality.

Findings 1 items

Severity	Finding	Location
Info	Implicit openclaw dependency Doc Mismatch SKILL.md declares shell execution but does not explicitly mention the 'openclaw' CLI tool dependency. This is a minor documentation gap. `execFileSync('openclaw', ['message', 'send', '--target', target, '--message', safeMessage])` → Consider adding 'openclaw' to the required binaries list in SKILL.md metadata	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:scope - stores identity data in $HOME/.openclaw/billions
Network	`READ`	`READ`	✓ Aligned	bootstrap.js:90 - makes RPC calls to rpc-mainnet.billions.network; verifySignatu…
Shell	`WRITE`	`WRITE`	✓ Aligned	utils.js:115 - uses execFileSync to run 'openclaw message send' command
Environment	`NONE`	`READ`	✓ Aligned	base.js:8 - reads $HOME from process.env for storage path

20 findings

🔗

Medium External URL 外部 URL

https://billions.network/

SKILL.md:5

💰

Medium Wallet Address 加密货币钱包地址

0xB3F5d3DD47F6ca17468898291491eBDA69a67797

scripts/constants.js:1

🔗

Medium External URL 外部 URL

https://attestation-relay.billions.network/api/v1/callback?attestation=

scripts/constants.js:5

🔗

Medium External URL 外部 URL

https://wallet.billions.network

scripts/constants.js:6

🔗

Medium External URL 外部 URL

https://paulmillr.com/funding/

scripts/package-lock.json:70

🔗

Medium External URL 外部 URL

https://www.buymeacoffee.com/ricmoo

scripts/package-lock.json:96

🔗

Medium External URL 外部 URL

https://gitcoin.co/grants/13/ethersjs-complete-simple-and-tiny-2

scripts/package-lock.json:186

🔗

Medium External URL 外部 URL

https://www.patreon.com/feross

scripts/package-lock.json:1548

🔗

Medium External URL 外部 URL

https://feross.org/support

scripts/package-lock.json:1552

🔗

Medium External URL 外部 URL

https://opencollective.com/fastify

scripts/package-lock.json:2012

🔗

Medium External URL 外部 URL

https://paypal.me/jimmywarting

scripts/package-lock.json:2035

🔗

Medium External URL 外部 URL

https://opencollective.com/node-fetch

scripts/package-lock.json:2366

🔗

Medium External URL 外部 URL

https://paypal.me/kozjak

scripts/package-lock.json:2630

💰

Medium Wallet Address 加密货币钱包地址

0x0000000000000000000000000000000000000000

scripts/shared/attestation.js:9

🔗

Medium External URL 外部 URL

https://rpc-mainnet.billions.network

scripts/shared/bootstrap.js:90

💰

Medium Wallet Address 加密货币钱包地址

0x3c9acb2205aa72a05f6d77d708b5cf85fca3a896

scripts/shared/bootstrap.js:91

🔗

Medium External URL 外部 URL

https://rhs-staging.polygonid.me

scripts/shared/bootstrap.js:102

🔗

Medium External URL 外部 URL

https://www.w3.org/ns/did/v1

scripts/shared/utils.js:32

🔗

Medium External URL 外部 URL

https://w3id.org/security/suites/secp256k1recovery-2020/v2

scripts/shared/utils.js:33

🔗

Medium External URL 外部 URL

https://resolver.privado.id/1.0/identifiers/$

scripts/verifySignature.js:31

File Tree

21 files · 150.9 KB · 4479 lines

JSON 2f · 2973L JavaScript 17f · 1165L Markdown 2f · 341L

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 shared

│ │ ├─ ▾ 📁 storage

│ │ │ ├─ 📜 base.js JavaScript 35L · 872 B

│ │ │ ├─ 📜 challenge.js JavaScript 53L · 1.2 KB

│ │ │ ├─ 📜 did.js JavaScript 47L · 1.1 KB

│ │ │ ├─ 📜 identities.js JavaScript 44L · 1.1 KB

│ │ │ └─ 📜 keys.js JavaScript 41L · 1.0 KB

│ │ ├─ 📜 attestation.js JavaScript 85L · 2.2 KB

│ │ ├─ 📜 bootstrap.js JavaScript 149L · 3.9 KB

│ │ └─ 📜 utils.js JavaScript 181L · 4.1 KB

│ ├─ 📜 constants.js JavaScript 18L · 953 B

│ ├─ 📜 createNewEthereumIdentity.js JavaScript 88L · 2.3 KB

│ ├─ 📜 generateChallenge.js JavaScript 30L · 806 B

│ ├─ 📜 getDidDocument.js JavaScript 39L · 923 B

│ ├─ 📜 getIdentities.js JavaScript 24L · 572 B

│ ├─ 📜 linkHumanToAgent.js JavaScript 141L · 3.5 KB

│ ├─ 📜 manualLinkHumanToAgent.js JavaScript 28L · 766 B

│ ├─ 📋 package-lock.json JSON 2951L · 106.7 KB

│ ├─ 📋 package.json JSON 22L · 532 B

│ ├─ 📜 signChallenge.js JavaScript 96L · 2.4 KB

│ └─ 📜 verifySignature.js JavaScript 66L · 2.0 KB

├─ 📝 README.md Markdown 119L · 5.8 KB

└─ 📝 SKILL.md Markdown 222L · 8.2 KB

Dependencies 6 items

Package	Version	Source	Known Vulns	Notes
`@0xpolygonid/js-sdk`	`^1.18.1`	npm	No	Official Polygon ID SDK - well-maintained
`@iden3/js-iden3-auth`	`^1.14.0`	npm	No	Official Iden3 authentication library
`@iden3/js-iden3-core`	`^1.4.1`	npm	No	Official Iden3 core library
`ethers`	`^6.13.4`	npm	No	Industry-standard Ethereum library
`shell-quote`	`^1.8.3`	npm	No	Used for safe shell argument parsing
`uuid`	`^11.0.3`	npm	No	Standard UUID generation

Security Positives

✓ Uses well-audited cryptographic libraries (@0xpolygonid/js-sdk, ethers.js)

✓ Implements shell operator validation to prevent command injection

✓ Uses regex validation for target parameters

✓ Proper error handling throughout all scripts

✓ Uses atomic file writes (temp file + rename) for storage operations

✓ No base64 encoding or obfuscation techniques detected

✓ No credential exfiltration or data theft patterns

✓ No eval() or dynamic code execution

✓ No remote script download patterns (curl|bash, wget|sh)

✓ Network requests limited to legitimate Billions Network blockchain services

✓ Private key storage is necessary for identity management and clearly documented

Scan Report

Findings 1 items

File Tree

Dependencies 6 items

Security Positives