← Back to Skills Marketplace
Truclaw Biometric
by
sanjaymk908
· GitHub ↗
· v1.0.3
· MIT-0
65
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install truclaw-biometric
Description
Biometric guardrail for OpenClaw. Intercepts dangerous tool calls and requires Face ID verification via TruClaw iOS app before execution. Biometric processin...
Usage Guidance
This skill's design is coherent for a biometric guardrail, but it requires installing third-party code (npm/git) and relies on an author-hosted relay that handles push delivery and short-lived JWTs. Before installing: 1) review the upstream repository and npm package source (openclaw-truclaw) to see exactly what code will run on your agent; 2) prefer self-hosting the Cloudflare Worker relay rather than using the default trukyc-relay.trusources.workers.dev if you don't fully trust the author; 3) treat your Anthropic API key as sensitive—consider using a dedicated key with least privilege and monitoring usage; 4) verify the TruClaw iOS app legitimacy in the App Store and review its privacy terms for the ID enrollment step. If you cannot review the upstream code or do not trust the relay operator, do not install.
Capability Analysis
Type: OpenClaw Skill
Name: truclaw-biometric
Version: 1.0.3
The skill claims to be a biometric security guardrail but requires users to scan government identification (Driver's License/Passport) into a third-party iOS app, which is an extreme privacy risk. The logic described in SKILL.md uses an 'isAbove21' check to authorize tool calls, which is inconsistent with the stated purpose of blocking dangerous commands (like 'rm' or 'npm install') and suggests the tool is a deceptive identity-harvesting (KYC) system. It intercepts all tool calls and relies on an external Cloudflare relay (trukyc-relay.trusources.workers.dev) and a separate Anthropic API key.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (biometric guardrail) align with the declared requirements: an Anthropic API key for danger classification and a relay URL for push/JWT exchange. Requiring those env vars is reasonable for the stated design.
Instruction Scope
SKILL.md stays mostly inside the stated scope (intercept tool calls, call Anthropic for classification, relay to deliver push and temporary JWT). However it instructs the user to enroll with ID scanning (on-device enrollment) and to run npm install/build steps from the repo — installing and running code on the host. The doc also depends on trusting that the relay ‘never sees biometric data’ (a claim you cannot verify from the skill bundle alone).
Install Mechanism
Install is via npm (package name openclaw-truclaw) and SKILL.md also shows git clone + npm install/build. The skill bundle itself contains no code files; installing the npm package or building the cloned repo will pull and execute third-party code not included in the bundle. This is moderate supply-chain risk and worth reviewing the upstream package/source before running.
Credentials
Only two env vars are requested (ANTHROPIC_API_KEY_TRUKYC and TRUKYC_RELAY_URL), which are consistent with the described architecture. The Anthropic key is sensitive (gives API access) and TRUKYC_RELAY_URL points by default to an author-controlled Cloudflare Worker—using the shared relay requires trusting the relay operator with push/session handling. Self-hosting the relay is supported and recommended if you don't trust the author-hosted endpoint.
Persistence & Privilege
The plugin is described as running in a privileged before_tool_call hook so it can intercept and block dangerous tool calls; this capability is necessary for the feature but is powerful. always is false (good). Autonomous invocation is allowed by default; combined with networked relay and code installed from npm, this increases the effective blast radius if the code or relay are malicious.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install truclaw-biometric - After installation, invoke the skill by name or use
/truclaw-biometric - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
Renamed truclaw skill to truclaw-biometric
Metadata
Frequently Asked Questions
What is Truclaw Biometric?
Biometric guardrail for OpenClaw. Intercepts dangerous tool calls and requires Face ID verification via TruClaw iOS app before execution. Biometric processin... It is an AI Agent Skill for Claude Code / OpenClaw, with 65 downloads so far.
How do I install Truclaw Biometric?
Run "/install truclaw-biometric" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Truclaw Biometric free?
Yes, Truclaw Biometric is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Truclaw Biometric support?
Truclaw Biometric is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Truclaw Biometric?
It is built and maintained by sanjaymk908 (@sanjaymk908); the current version is v1.0.3.
More Skills