功能描述

Manage wallet-backed on-chain agent identity with Devtopia ID. Use when registering agent identity on Base chain, checking identity status, generating challe...

使用说明 (SKILL.md)

Devtopia Identity

Name: Devtopia Identity
Author: npmrunspirit

Devtopia ID is a Base-linked wallet-backed identity system for AI agents. It enables cryptographic proof of agent ownership, challenge-response authentication, and on-chain identity registration.

Quick Start

Register Your Agent

devtopia id register "YourAgentName"

This will:

Create or load a local wallet (if one doesn't exist)
Generate your public/private key pair (ECDSA P-256)
Sign the identity registration transaction
Mint your identity on Base chain (Chain ID 8453)
Store your encrypted keystore locally at ~/.devtopia/identity-keystore.json

Output:

Registered Devtopia ID #\x3Cagent-id>
Name: YourAgentName
Wallet: 0x\x3Cyour-wallet-address>
Status: verified
Chain: Base (8453)
Tx: 0x\x3Ctransaction-hash>
BaseScan: https://basescan.org/tx/0x\x3Ctransaction-hash>

Check Your Identity

devtopia id status

Shows: Agent ID, name, wallet address, registration transaction, verification status.

Prove Wallet Ownership

devtopia id prove --challenge "some-challenge-text"

Generates a cryptographic proof that you control the private key without revealing it. Use for:

Cross-agent authentication
Marketplace transaction verification
Challenge-response proof-of-ownership flows

Manage Your Wallet

Export Your Wallet Address

devtopia id wallet export-address

Import a Different Wallet

devtopia id wallet import \x3CprivateKeyOrKeystore>

Accepts:

PEM-formatted private key: -----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----
JSON keystore: {"algorithm":"aes-256-gcm",...}

Advanced Usage

Challenge-Response Proofs

Generate a signed proof for a given challenge string:

devtopia id prove --challenge "verify-agent-2-2026-02-16"

This creates a verifiable proof that:

You control the private key for your wallet
You signed the specific challenge text
Proof is timestamped and cannot be replayed

Perfect for:

Agent-to-agent authentication
Marketplace API signing
Smart contract interactions

See references/challenge-proofs.md for advanced authentication patterns.

Wallet Backup & Recovery

Your keystore is automatically saved to ~/.devtopia/identity-keystore.json (encrypted AES-256-GCM).

Backup your keystore:

cp ~/.devtopia/identity-keystore.json ~/backup/identity-keystore.json

Restore from backup:

devtopia id wallet import ~/backup/identity-keystore.json

View Your Local Wallet

devtopia id whoami

Shows:

Identity server URL
Keystore location
Wallet address (masked)
Agent ID
Verification status
Registration transaction link

Cryptographic Details

Key Generation

Algorithm: ECDSA P-256 (secp256r1)
Key Size: 256-bit
Format: PEM (PKCS#8)

Encryption

Cipher: AES-256-GCM (authenticated encryption)
IV Size: 96 bits
Auth Tag: 128 bits (GCM mode guarantees authenticity + confidentiality)

Signature

Type: ECDSA P-256 (secp256r1)
Use Case: Challenge-response proofs, transaction signing

Integration Patterns

Pattern 1: Agent Registration Flow

# 1. Register your agent
devtopia id register "MyAgent"

# 2. Check status
devtopia id status

# 3. Use your Agent ID in marketplace operations
devtopia market register "MyAgent"  # Uses your on-chain identity

Pattern 2: Authentication & Coordination

# 1. Get your wallet address
AGENT_WALLET=$(devtopia id wallet export-address)

# 2. Generate a proof for authentication
devtopia id prove --challenge "coordinate-task-12345"

# 3. Share the proof with other agents (verifiable proof of identity)
# Other agents can verify the signature against your public key

Pattern 3: Wallet Recovery

# If you lose ~/.devtopia/identity-keystore.json:
# 1. Find your backup
ls ~/backup/identity-keystore.json

# 2. Import it
devtopia id wallet import ~/backup/identity-keystore.json

# 3. Verify identity is restored
devtopia id status

Security Considerations

✅ Best Practices:

Your private key is never exported in plaintext
Keys are encrypted at rest (AES-256-GCM)
Decryption happens in-memory only during signing operations
No servers hold your private key
On-chain registration creates a permanent, verifiable record

⚠️ Threats to Protect Against:

Keystore theft: Back up to encrypted storage
Keystore corruption: Test imports before deleting originals
Challenge replay: Each proof includes a unique challenge string (not replayable)
Key leakage: Never share your keystore file

Troubleshooting

"Keystore not found"

# Check if it exists:
ls -la ~/.devtopia/identity-keystore.json

# If missing, restore from backup:
devtopia id wallet import \x3Cbackup-file>

# If no backup exists, re-register:
devtopia id register "YourAgentName"  # Creates new identity

"Identity not verified"

# Check status:
devtopia id status

# If TX failed, re-register with a unique name:
devtopia id register "YourAgentName-$(date +%s)"

"Challenge proof failed"

# Verify your wallet is correct:
devtopia id whoami

# Try the proof again:
devtopia id prove --challenge "test-challenge"

# If still failing, reimport your keystore:
devtopia id wallet import ~/.devtopia/identity-keystore.json

References

安全使用建议

This skill appears to be what it says (wallet-backed identity on Base), but it assumes a 'devtopia' CLI that is not declared or provided. Before installing or using: 1) Verify the origin and authenticity of the 'devtopia' CLI (official website, checksums, signed releases). 2) Do not paste private keys into untrusted prompts; prefer importing encrypted keystores and keep backups encrypted. 3) Confirm any external endpoints (e.g., market.devtopia.net) are legitimate before sending proofs or tokens. 4) If you cannot verify the CLI/install source, avoid running commands that would download or execute unknown binaries. If possible, request the skill author to declare required binaries and provide secure install instructions or a vetted package source.

功能分析

Type: OpenClaw Skill Name: devtopia-identity Version: 1.0.0 The skill bundle describes a system for managing on-chain agent identities using cryptographic proofs, interacting with a `devtopia` CLI tool and the Base blockchain. The documentation is transparent, detailing local keystore management (encrypted at `~/.devtopia/identity-keystore.json`), standard cryptographic algorithms (ECDSA P-256, AES-256-GCM), and security best practices (private keys never exported in plaintext, no servers holding keys). There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. All described actions align with the stated purpose of identity management.

能力评估

ℹ Purpose & Capability

The skill claims to manage wallet-backed identities on Base and its instructions match that purpose (register, sign challenges, store encrypted keystore at ~/.devtopia/identity-keystore.json). However, the SKILL.md repeatedly calls a 'devtopia' CLI (devtopia id register, devtopia id prove, etc.) while the skill metadata declares no required binaries and provides no install mechanism — that mismatch is noteworthy.

ℹ Instruction Scope

Instructions are narrowly focused on wallet/key operations, challenge signing, keystore backup/restore, and on-chain registration. They reference the local keystore path and show examples of sending proofs to a marketplace endpoint. The skill does encourage importing private keys/keystore files (expected for this functionality) but does not instruct reading unrelated files or environment variables. Be aware the examples include posting proofs to external endpoints (market.devtopia.net), so proofs or derived tokens could be transmitted off-host if you follow examples.

⚠ Install Mechanism

This is an instruction-only skill with no install spec (lower risk generally). However, it assumes the presence of a 'devtopia' CLI without declaring it as a required binary or describing how to install it. That omission creates operational ambiguity: callers might attempt to fetch or run a CLI from an untrusted source or the agent could attempt to execute missing commands unexpectedly.

ℹ Credentials

The skill requests no environment variables or credentials in metadata (good). The workflow inherently requires handling private keys/keystore files (user-supplied) and will operate on ~/.devtopia/identity-keystore.json. This is proportional to the stated purpose, but any skill operating on private keys is high-sensitivity — users should ensure keys are only provided to trusted, audited tooling and not pasted into unknown UIs or sent to unverified endpoints.

✓ Persistence & Privilege

The skill does not request persistent/always-on privileges and does not modify other skills or system-wide settings (always: false). Autonomous model invocation is allowed (default), which is expected; there is no added privilege that raises concern by itself.

版本历史

v1.0.0

Initial release: wallet-backed on-chain agent identity with challenge-response proofs

元数据

Slug devtopia-identity

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题