← Back to Skills Marketplace
web3dropper

Web3Dropper Verified Agent

by Web3Dropper · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
365
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install web3dropper-verified-agent
Description
Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify.
Usage Guidance
This skill appears to do what it says (create/manage DIDs, sign/verify challenges and produce pairing links), but take these precautions before installing or running it: - Trust the remote services: the pairing flow constructs a callback URL that includes a signed JWS and points to attestation-relay.billions.network (and the code queries resolver.privado.id). If you don't trust those endpoints, do not use the pairing flow. - Protect private keys: the skill stores private keys unencrypted in $HOME/.openclaw/billions/kms.json. Treat that directory as highly sensitive. If you require stronger protection, do not create new keys here; instead use an existing key managed in a secure KMS/HSM and understand how (or if) the scripts import/leave keys on disk. - Validate the openclaw binary: the code executes openclaw via execFileSync. Ensure openclaw on PATH is the official, trusted CLI (an attacker could replace that binary). - Review and test in isolation: run the scripts in a sandbox or throwaway account first to observe network requests and generated files. Inspect the generated pairing URL before opening it in a browser. - If you need stricter guarantees: consider modifying the storage layer to encrypt keys at rest or integrate a hardware wallet/KMS, or consult the skill author for an encrypted-storage option. If these risks are acceptable and you trust Billions/iden3 and the openclaw CLI, the skill is coherent with its stated purpose; otherwise treat it as potentially sensitive and test in an isolated environment first.
Capability Analysis
Type: OpenClaw Skill Name: web3dropper-verified-agent Version: 1.0.0 The skill bundle is classified as suspicious primarily due to its metadata slug 'web3dropper-verified-agent' in _meta.json, which utilizes malware terminology ('dropper'). While the code implements a functional Web3 identity management system using the Iden3 protocol, it explicitly stores unencrypted private keys in the user's home directory ($HOME/.openclaw/billions/kms.json), as documented in SKILL.md and implemented in scripts/shared/storage/keys.js. Although the scripts include defensive measures like shell-operator sanitization in scripts/shared/utils.js, the combination of the suggestive naming and the high-risk handling of cryptographic secrets warrants caution.
Capability Assessment
Purpose & Capability
Name/description (Billions/iden3 DID management) aligns with the included Node scripts and the declared runtime (node + openclaw). Required binaries and storage path ($HOME/.openclaw/billions) match the stated purpose.
Instruction Scope
SKILL.md and scripts direct the agent/user to run npm install and several node scripts that create keys, sign challenges, build pairing URLs, and send messages via the openclaw CLI. These actions are within the identity/verification scope, but the pairing URL encodes signed JWS tokens (created locally) and the scripts will transmit those tokens to an external attestation-relay URL when the human follows the link.
Install Mechanism
There is no automated installer; the README/SKILL.md instructs running npm install in the scripts directory. Dependencies are standard npm packages from public registries (listed in package.json/package-lock). No arbitrary archive downloads or obscure install URLs are used.
Credentials
The skill requests no environment variables or external credentials. However, it persistently stores cryptographic private keys unencrypted in $HOME/.openclaw/billions/kms.json (explicit in code/README), which is a sensitive capability. The code also contacts several Billions/iden3 endpoints (rpc-mainnet.billions.network, attestation-relay.billions.network, resolver.privado.id) — the pairing flow will expose signed tokens to those services as part of the protocol.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It persists state under the user's home directory (intended for DID/key storage), which is appropriate for an identity manager but is a persistent, sensitive artifact.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install web3dropper-verified-agent
  3. After installation, invoke the skill by name or use /web3dropper-verified-agent
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the verified-agent-identity skill for Billions/Iden3 identity management. - Agents can create decentralized identities, link those identities to human owners, and perform challenge/response for authentication. - Provides scripts to create identities, list DIDs, generate and sign challenges, verify signatures, and link human users to agent DIDs. - All identity data is securely stored in `$HOME/.openclaw/billions`; strict rules prohibit manual cryptographic operations or file manipulation. - Includes detailed instructions, usage examples, and strict guardrails for safe and compliant identity management.
Metadata
Slug web3dropper-verified-agent
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Web3Dropper Verified Agent?

Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify. It is an AI Agent Skill for Claude Code / OpenClaw, with 365 downloads so far.

How do I install Web3Dropper Verified Agent?

Run "/install web3dropper-verified-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Web3Dropper Verified Agent free?

Yes, Web3Dropper Verified Agent is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Web3Dropper Verified Agent support?

Web3Dropper Verified Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Web3Dropper Verified Agent?

It is built and maintained by Web3Dropper (@web3dropper); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments