← Back to Skills Marketplace
Web3dropper Crypto Price Skill
by
Web3Dropper
· GitHub ↗
· v1.0.0
334
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install web3dropper-crypto-price
Description
Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify.
Usage Guidance
Be cautious before installing. The package is primarily an identity management toolkit (not just a 'crypto price' skill) and will generate and store private keys unencrypted under $HOME/.openclaw/billions and send signed tokens/URLs to arbitrary recipients via the openclaw CLI. If you only want a Binance price fetcher, do not install this package. If you need the identity functionality, verify the upstream project (billions.network), inspect the sendDirectMessage/openclaw invocation code, and only run it in a controlled environment. Consider the following steps before proceeding: (1) confirm the skill's origin and that the domains (rpc-mainnet.billions.network, attestation-relay.billions.network, wallet.billions.network) are trustworthy; (2) inspect the KeysFileStorage implementation and decide whether plaintext key storage is acceptable for your threat model; (3) avoid running these scripts on machines that hold other sensitive keys/accounts; (4) run npm install in an isolated environment (container/VM) and audit installed dependencies; (5) if you must use it, limit the recipients you pass to the --to argument and prefer manual review of any generated callback URLs. If you want help locating the specific lines that write/read kms.json or where the signed JWS is constructed and sent, I can point them out or extract them for review.
Capability Analysis
Type: OpenClaw Skill
Name: web3dropper-crypto-price
Version: 1.0.0
The bundle provides a decentralized identity (DID) management toolkit for AI agents, but is classified as suspicious due to a critical security vulnerability: private keys are stored unencrypted in `kms.json` within the `$HOME/.openclaw/billions/` directory. While the documentation in `SKILL.md` and `README.md` explicitly acknowledges this risk, it remains a significant flaw. The bundle also exhibits an inconsistent structure, with a mismatch between the root metadata slug (`web3dropper-crypto-price`) and the primary skill instructions (`verified-agent-identity`), and it contains a nested, unrelated crypto price fetching script. Legitimate domains such as `billions.network` and `privado.id` are used for identity resolution and relaying.
Capability Assessment
Purpose & Capability
Registry name/summary ('Web3dropper Crypto Price Skill') suggests a simple Binance price fetcher, but the repository and SKILL.md are largely an identity toolkit for Billions/iden3 (many files, KMS, DID management, signing, attestation). The included 'my-agent-skill' small Binance script exists, but it is a minor piece of a much larger identity package. This mismatch is incoherent and could indicate repackaging or mislabeling.
Instruction Scope
Runtime instructions tell the agent to run npm install and multiple scripts that create/import private keys, sign challenges, build authorization requests and call openclaw to send messages containing signed JWS/callback URLs. Those scripts persist unencrypted private keys and produce callback URLs containing JWS tokens — sending those to arbitrary recipients could expose attestation tokens or enable linking to malicious recipients if the --to argument is set incorrectly or by a malicious prompt. The SKILL.md guardrails try to limit dangerous actions, but the scripts themselves perform sensitive I/O and network calls outside the agent workspace.
Install Mechanism
No formal install spec is provided in the registry (instruction-only), but SKILL.md instructs running 'cd scripts && npm install' which will install many npm dependencies (some large SDKs). Pulling these npm packages is standard for the identity functionality; there's no remote archive download or URL shortener in the install path. The presence of heavy dependencies is proportionate to iden3/PolygonID usage, but increases surface area compared with a tiny price-fetching skill.
Credentials
The skill requests no environment variables, but writes and reads sensitive cryptographic material to $HOME/.openclaw/billions (kms.json with privateKeyHex stored in plaintext). While local key storage is needed for identity operations, unencrypted key persistence in a home directory is sensitive and may be disproportionate if the user did not expect identity management. The scripts also contact RPC and relay endpoints (rpc-mainnet.billions.network and attestation-relay.billions.network), which are expected for this purpose but should be verified as legitimate.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It creates persistent files under $HOME/.openclaw/billions (kms.json, identities.json, challenges.json, defaultDid.json). Persistent storage is necessary for a DID/key toolkit, but that is a significant privilege and means the skill will have long-term access to local private keys once installed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install web3dropper-crypto-price - After installation, invoke the skill by name or use
/web3dropper-crypto-price - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
**Initial release of verified-agent-identity skill.**
- Provides Billions/Iden3 authentication and decentralized identity management tools for agents.
- Supports creating and managing agent identities, linking an agent’s DID to a human owner, signing and verifying challenges, and handling shared JWT authentication.
- Includes scripts for key identity operations: creation, listing, challenge generation, challenge signing, identity linking, and signature verification.
- Stores all identity and credential data in `$HOME/.openclaw/billions` for OpenClaw compatibility.
- Strict guardrails enforce proper script usage and prohibit manual cryptographic operations or unauthorized file access.
Metadata
Frequently Asked Questions
What is Web3dropper Crypto Price Skill?
Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify. It is an AI Agent Skill for Claude Code / OpenClaw, with 334 downloads so far.
How do I install Web3dropper Crypto Price Skill?
Run "/install web3dropper-crypto-price" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Web3dropper Crypto Price Skill free?
Yes, Web3dropper Crypto Price Skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Web3dropper Crypto Price Skill support?
Web3dropper Crypto Price Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Web3dropper Crypto Price Skill?
It is built and maintained by Web3Dropper (@web3dropper); the current version is v1.0.0.
More Skills