← Back to Skills Marketplace
holdcc_eth
by
Holdcc Ether
· GitHub ↗
· v1.0.0
· MIT-0
402
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install verified-agent-identity-3
Description
Billions decentralized identity for agents. Link agents to human identities using Billions ERC-8004 and Attestation Registries. Verify and generate authentic...
Usage Guidance
Do not run the provided commands or npm install until you have the actual script files and have reviewed them. Specific checks to perform before installing or running anything:
- Confirm the package includes the scripts/ directory and inspect every script (createNewEthereumIdentity.js, linkHumanToAgent.js, etc.) for network calls, where private keys are created/stored, and any external URLs or npm packages they fetch.
- Verify how private keys are stored: are they encrypted, do they rely on a KMS, or are they written plaintext under $HOME/.openclaw/billions? If plaintext, treat as high risk.
- Ask the publisher for required environment variables (RPC URL, provider, private key or KMS configuration) and for the exact smart contract addresses the scripts will interact with.
- Avoid running npm install or executing node scripts from an untrusted source; run them in an isolated environment (VM/container) after review.
- If you need this capability, request the upstream repository or signed release (e.g., GitHub repo with commit history and release artifacts) so you can audit the code. If the author cannot provide the scripts or clear provenance, do not install.
Capability Analysis
Type: OpenClaw Skill
Name: verified-agent-identity-3
Version: 1.0.0
The skill manages decentralized identities and sensitive private keys, storing them in $HOME/.openclaw/billions/kms.json. It is classified as suspicious because it explicitly documents that private keys are stored in plaintext by default unless a specific environment variable (BILLIONS_NETWORK_MASTER_KMS_KEY) is provided, which is a significant security vulnerability. While SKILL.md includes safety guardrails for the agent, the combination of high-privilege credential management and the requirement to execute scripts that handle these keys (e.g., signChallenge.js and linkHumanToAgent.js) without the underlying source code present for review poses a high risk.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's stated purpose (create/verify Billions ERC-8004 DIDs and attestations) would normally require on-chain interaction, an Ethereum/RPC endpoint, and either an existing private key or a way to sign transactions. The SKILL.md requests only the 'node' binary and optionally a KMS key; it lists no RPC URL, wallet/private-key environment variable, or network configuration. That mismatch suggests the declared requirements are incomplete or the skill expects external code/assets that are not provided.
Instruction Scope
The runtime instructions tell the agent to run commands in a scripts/ directory (npm install; node scripts/... ), create and store private keys and challenges under $HOME/.openclaw/billions, and interact with registries — but this skill package contains no scripts or code files. Instructions also prohibit manual cryptographic work and direct the agent not to touch stored files, which restricts remediation. Because the actual scripts are absent, following these instructions would fail or require fetching external code, which is not specified.
Install Mechanism
There is no install spec (instruction-only), which is low-risk by itself. However the SKILL.md explicitly tells users to run 'cd scripts && npm install', which would execute package installs from the network if scripts/package.json were present. Since no code files are included, the install instructions are inconsistent with the package contents and could lead to arbitrary network package installation if a user later obtains the missing scripts.
Credentials
The skill declares no required environment variables (only an optional BILLIONS_NETWORK_MASTER_KMS_KEY in metadata), yet its functionality implies needing sensitive items: a signing key or KMS, and an RPC/provider URL to interact with Ethereum-based registries. The SKILL.md also stores private keys and challenges in the user's home directory, which is sensitive. The absence of clear, justified credential requirements is disproportionate to the described on-chain operations.
Persistence & Privilege
The skill stores identity data under $HOME/.openclaw/billions, which is expected for an identity manager but means private keys and challenges may be persisted locally. always is false and the skill does not request broader system privileges. You should confirm how keys are encrypted at rest (KMS usage) before use.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install verified-agent-identity-3 - After installation, invoke the skill by name or use
/verified-agent-identity-3 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Major update: skill scripts and documentation removed, leaving only the skill manifest and instructions.
- All executable scripts and related files were removed, including agent identity, challenge, signature, and attestation management tools.
- Usage instructions now only describe expected commands and flows, without providing the actual script files.
- Security and critical guardrails remain documented as guidance, but enforcement now depends on external implementation.
- Skill metadata updated to reflect new configuration options and dependencies.
v0.1.1
No changes detected in this release.
- Version 0.1.1 has no file changes compared to the previous version.
- Functionality, documentation, and usage remain the same.
v0.1.0
verified-agent-identity-3 v0.1.0
- Initial release with scripts for decentralized agent identity creation, authentication, and management using Billions/Iden3.
- Supports linking agent DIDs to human owners, signing/verifying challenges, and managing verifiable credentials.
- Includes strict security guardrails preventing manual cryptographic operations or unauthorized file access.
- All sensitive identity data is stored under $HOME/.openclaw/billions for compatibility with OpenClaw.
Metadata
Frequently Asked Questions
What is holdcc_eth?
Billions decentralized identity for agents. Link agents to human identities using Billions ERC-8004 and Attestation Registries. Verify and generate authentic... It is an AI Agent Skill for Claude Code / OpenClaw, with 402 downloads so far.
How do I install holdcc_eth?
Run "/install verified-agent-identity-3" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is holdcc_eth free?
Yes, holdcc_eth is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does holdcc_eth support?
holdcc_eth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created holdcc_eth?
It is built and maintained by Holdcc Ether (@holdcc); the current version is v1.0.0.
More Skills