verified-agent-identity Security Report — Trusted | ClawSafe

5 /100

verified-agent-identity

Billions decentralized identity for agents. Link agents to human identities using Billions ERC-8004 and Attestation Registries.

Legitimate decentralized identity management skill with clear documentation, declared network endpoints to known blockchain infrastructure, and proper filesystem storage for cryptographic keys.

Skill Nameverified-agent-identity

Duration44.3s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure the BILLIONS_NETWORK_MASTER_KMS_KEY environment variable is set to enable at-rest encryption of private keys.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Stores identity data in $HOME/.openclaw/billions/
Network	`READ`	`READ`	✓ Aligned	HTTPS calls to billions.network, privado.id
Shell	`WRITE`	`WRITE`	✓ Aligned	Executes node scripts as declared in metadata
Environment	`READ`	`READ`	✓ Aligned	Reads BILLIONS_NETWORK_MASTER_KMS_KEY for encryption

22 findings

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/help/environment

README.md:167

🔗

Medium External URL 外部 URL

https://billions.network/

SKILL.md:5

💰

Medium Wallet Address 加密货币钱包地址

0xB3F5d3DD47F6ca17468898291491eBDA69a67797

scripts/constants.js:1

🔗

Medium External URL 外部 URL

https://attestation-relay.billions.network/api/v1/callback?attestation=

scripts/constants.js:5

🔗

Medium External URL 外部 URL

https://wallet.billions.network

scripts/constants.js:6

🔗

Medium External URL 外部 URL

https://identity-dashboard.billions.network

scripts/constants.js:19

🔗

Medium External URL 外部 URL

https://paulmillr.com/funding/

scripts/package-lock.json:70

🔗

Medium External URL 外部 URL

https://www.buymeacoffee.com/ricmoo

scripts/package-lock.json:96

🔗

Medium External URL 外部 URL

https://gitcoin.co/grants/13/ethersjs-complete-simple-and-tiny-2

scripts/package-lock.json:192

🔗

Medium External URL 外部 URL

https://www.patreon.com/feross

scripts/package-lock.json:1554

🔗

Medium External URL 外部 URL

https://feross.org/support

scripts/package-lock.json:1558

🔗

Medium External URL 外部 URL

https://opencollective.com/fastify

scripts/package-lock.json:2024

🔗

Medium External URL 外部 URL

https://paypal.me/jimmywarting

scripts/package-lock.json:2047

🔗

Medium External URL 外部 URL

https://opencollective.com/node-fetch

scripts/package-lock.json:2393

🔗

Medium External URL 外部 URL

https://paypal.me/kozjak

scripts/package-lock.json:2657

💰

Medium Wallet Address 加密货币钱包地址

0x0000000000000000000000000000000000000000

scripts/shared/attestation.js:9

🔗

Medium External URL 外部 URL

https://rpc-mainnet.billions.network

scripts/shared/bootstrap.js:90

💰

Medium Wallet Address 加密货币钱包地址

0x3c9acb2205aa72a05f6d77d708b5cf85fca3a896

scripts/shared/bootstrap.js:91

🔗

Medium External URL 外部 URL

https://rhs-staging.polygonid.me

scripts/shared/bootstrap.js:102

🔗

Medium External URL 外部 URL

https://www.w3.org/ns/did/v1

scripts/shared/utils.js:31

🔗

Medium External URL 外部 URL

https://w3id.org/security/suites/secp256k1recovery-2020/v2

scripts/shared/utils.js:32

🔗

Medium External URL 外部 URL

https://resolver.privado.id/1.0/identifiers/$

scripts/verifySignature.js:31

File Tree

23 files · 156.0 KB · 4657 lines

JSON 3f · 2984L JavaScript 18f · 1273L Markdown 2f · 400L

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 shared

│ │ ├─ ▾ 📁 storage

│ │ │ ├─ 📜 base.js JavaScript 35L · 872 B

│ │ │ ├─ 📜 challenge.js JavaScript 53L · 1.2 KB

│ │ │ ├─ 📜 crypto.js JavaScript 81L · 2.1 KB

│ │ │ ├─ 📜 did.js JavaScript 47L · 1.1 KB

│ │ │ ├─ 📜 identities.js JavaScript 44L · 1.1 KB

│ │ │ └─ 📜 keys.js JavaScript 117L · 3.4 KB

│ │ ├─ 📜 attestation.js JavaScript 85L · 2.2 KB

│ │ ├─ 📜 bootstrap.js JavaScript 149L · 3.9 KB

│ │ └─ 📜 utils.js JavaScript 131L · 2.9 KB

│ ├─ 📜 constants.js JavaScript 19L · 1.0 KB

│ ├─ 📜 createNewEthereumIdentity.js JavaScript 80L · 2.1 KB

│ ├─ 📜 generateChallenge.js JavaScript 30L · 806 B

│ ├─ 📜 getDidDocument.js JavaScript 39L · 923 B

│ ├─ 📜 getIdentities.js JavaScript 24L · 572 B

│ ├─ 📜 linkHumanToAgent.js JavaScript 153L · 3.9 KB

│ ├─ 📜 manualLinkHumanToAgent.js JavaScript 28L · 766 B

│ ├─ 📋 package-lock.json JSON 2957L · 107.1 KB

│ ├─ 📋 package.json JSON 22L · 531 B

│ ├─ 📜 signChallenge.js JavaScript 92L · 2.3 KB

│ └─ 📜 verifySignature.js JavaScript 66L · 2.0 KB

├─ 📋 _meta.json JSON 5L · 143 B

├─ 📝 README.md Markdown 181L · 7.1 KB

└─ 📝 SKILL.md Markdown 219L · 8.1 KB

Dependencies 6 items

Package	Version	Source	Known Vulns	Notes
`@0xpolygonid/js-sdk`	`1.42.1`	npm	No	Pinned to specific version
`@iden3/js-iden3-core`	`1.8.0`	npm	No	Pinned to specific version
`@iden3/js-iden3-auth`	`1.14.0`	npm	No	Pinned to specific version
`ethers`	`^6.13.4`	npm	No	Minor version range, consider pinning
`uuid`	`^11.0.3`	npm	No	Major version range, consider pinning
`@noble/curves`	`^1.9.2`	npm	No	Minor version range

Security Positives

✓ All network endpoints are documented and point to legitimate blockchain/identity infrastructure (billions.network, privado.id)

✓ Private keys support AES-256-GCM encryption at rest via optional BILLIONS_NETWORK_MASTER_KMS_KEY

✓ All shell commands use Node.js scripts as declared in metadata

✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques detected

✓ Filesystem access is scoped to dedicated identity storage directory with clear documentation

✓ All dependencies are pinned to specific versions (e.g., @0xpolygonid/js-sdk: 1.42.1)

✓ Network calls are read-only (fetch for resolution/callback) with no data exfiltration patterns

✓ README.md explicitly documents network policy and whitelisted domains

Scan Report

File Tree

Dependencies 6 items

Security Positives