← Back to Skills Marketplace

Whoareyou

Name: Whoareyou
Author: erasmus

by Erasmus Hagen · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

106

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install whoareyou

Description

Show your verified wayID identity card when a user asks who you are

Usage Guidance

This skill appears to do what it says, but exercise caution before installing or enabling it: 1) Source provenance: there is no homepage or code to inspect — verify the publisher (owner ID) and trustworthiness of way.je before use. 2) Private key risk: the file you must read (~/.openclaw/identity/device.json) contains a privateKey field; ensure the agent implementation only extracts the publicKey, does not print/log the full file, and never transmits the privateKey. 3) Network calls: confirm the agent uses HTTPS with proper certificate validation and only calls way.je endpoints as documented. 4) Testing: run the skill in a controlled environment first (or with a test identity) to confirm it cannot exfiltrate secrets. 5) Safer alternatives: if possible, expose a minimal API or OS-level accessor that returns only the public key or a fingerprint instead of giving file access to a blob containing a private key. If you cannot verify the implementation or origin, do not install/enabled the skill.

Capability Analysis

Type: OpenClaw Skill Name: whoareyou Version: 1.0.0 The skill requires the agent to read '~/.openclaw/identity/device.json', a file containing both public and private keys, and then perform external network requests to 'way.je'. While the instructions in 'SKILL.md' state that only the 'publicKey' is needed, the proximity of the 'privateKey' in the same file and the transmission of data to an external API represent a high-risk pattern for potential secret leakage or accidental exposure.

Capability Assessment

✓ Purpose & Capability

The skill's name and description ('show your verified wayID identity card') align with its instructions: read the agent's public key and query way.je to fetch an identity card. No unrelated environment variables or extra binaries are requested. However the skill has no source/homepage listed (unknown origin), which reduces trust in provenance.

⚠ Instruction Scope

The runtime instructions require reading ~/.openclaw/identity/device.json which indeed contains both publicKey and privateKey fields. The SKILL.md explicitly says only the publicKey is needed, but it does not provide strict safeguards or verification steps to ensure the privateKey is never read, logged, or transmitted. The skill also instructs contacting an external API (https://way.je); that is expected for the purpose, but any implementation bug could leak sensitive material. The instructions are otherwise scoped to the described task and forbid opening a browser.

✓ Install Mechanism

This is instruction-only (no install spec, no code files). That reduces the attack surface because nothing is downloaded or written by the installer, but it also means there is no code to audit — you must trust the agent runtime to implement the instructions safely.

ℹ Credentials

No environment variables or credentials are requested, which is appropriate. However, requiring access to a config file that contains the agent's private key is sensitive. Even without explicit env/secret requests, reading ~/.openclaw/identity/device.json gives access to a privateKey field — the skill should make it explicit (and the runtime should enforce) that only the publicKey value is read and transmitted.

✓ Persistence & Privilege

The skill is user-invocable and not always-on; it does not request persistent privileges or modification of other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags here.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install whoareyou
After installation, invoke the skill by name or use /whoareyou
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

whoareyou 1.0.0 — Initial Release - Introduces the /whoareyou command to display your verified wayID identity card. - Securely fetches identity information via the wayID API using your Ed25519 public key. - Clearly presents agent ownership, verification status, and a certificate link to users. - Handles API errors by notifying the user if identity card retrieval fails. - No data is fabricated; only official API responses are shown.

Metadata

Slug whoareyou

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Whoareyou?

Show your verified wayID identity card when a user asks who you are. It is an AI Agent Skill for Claude Code / OpenClaw, with 106 downloads so far.

How do I install Whoareyou?

Run "/install whoareyou" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Whoareyou free?

Yes, Whoareyou is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Whoareyou support?

Whoareyou is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Whoareyou?

It is built and maintained by Erasmus Hagen (@erasmus); the current version is v1.0.0.

More Skills