首页龙虾技能列表 › Web3Dropper Crypto Price — Web3Dropper 加密价格

Web3Dropper Crypto Price — Web3Dropper 加密价格

v1.0.0

Web3Dropper 加密价格技能工具。

0· 264·0 当前·0 累计
by @web3dropper (Web3Dropper)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/13
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The package mixes two different purposes (a small Binance price script and a large Billions/iden3 identity toolkit), stores agent private keys unencrypted under $HOME/.openclaw/billions, and will send signed tokens/URLs to external recipients — the combination is coherent for an identity skill but the name/metadata mismatch and sensitive local key handling warrant caution.
评估建议
Be cautious before installing. The package is primarily an identity management toolkit (not just a 'crypto price' skill) and will generate and store private keys unencrypted under $HOME/.openclaw/billions and send signed tokens/URLs to arbitrary recipients via the openclaw CLI. If you only want a Binance price fetcher, do not install this package. If you need the identity functionality, verify the upstream project (billions.network), inspect the sendDirectMessage/openclaw invocation code, and on...
详细分析 ▾
用途与能力
Registry name/summary ('Web3dropper Crypto Price Skill') suggests a simple Binance price fetcher, but the repository and SKILL.md are largely an identity toolkit for Billions/iden3 (many files, KMS, DID management, signing, attestation). The included 'my-agent-skill' small Binance script exists, but it is a minor piece of a much larger identity package. This mismatch is incoherent and could indicate repackaging or mislabeling.
指令范围
Runtime instructions tell the agent to run npm install and multiple scripts that create/import private keys, sign challenges, build authorization requests and call openclaw to send messages containing signed JWS/callback URLs. Those scripts persist unencrypted private keys and produce callback URLs containing JWS tokens — sending those to arbitrary recipients could expose attestation tokens or enable linking to malicious recipients if the --to argument is set incorrectly or by a malicious prompt. The SKILL.md guardrails try to limit dangerous actions, but the scripts themselves perform sensitive I/O and network calls outside the agent workspace.
安装机制
No formal install spec is provided in the registry (instruction-only), but SKILL.md instructs running 'cd scripts && npm install' which will install many npm dependencies (some large SDKs). Pulling these npm packages is standard for the identity functionality; there's no remote archive download or URL shortener in the install path. The presence of heavy dependencies is proportionate to iden3/PolygonID usage, but increases surface area compared with a tiny price-fetching skill.
凭证需求
The skill requests no environment variables, but writes and reads sensitive cryptographic material to $HOME/.openclaw/billions (kms.json with privateKeyHex stored in plaintext). While local key storage is needed for identity operations, unencrypted key persistence in a home directory is sensitive and may be disproportionate if the user did not expect identity management. The scripts also contact RPC and relay endpoints (rpc-mainnet.billions.network and attestation-relay.billions.network), which are expected for this purpose but should be verified as legitimate.
持久化与权限
The skill does not request always:true and does not modify other skills. It creates persistent files under $HOME/.openclaw/billions (kms.json, identities.json, challenges.json, defaultDid.json). Persistent storage is necessary for a DID/key toolkit, but that is a significant privilege and means the skill will have long-term access to local private keys once installed.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/9

**Initial release of verified-agent-identity skill.** - Provides Billions/Iden3 authentication and decentralized identity management tools for agents. - Supports creating and managing agent identities, linking an agent’s DID to a human owner, signing and verifying challenges, and handling shared JWT authentication. - Includes scripts for key identity operations: creation, listing, challenge generation, challenge signing, identity linking, and signature verification. - Stores all identity and credential data in `$HOME/.openclaw/billions` for OpenClaw compatibility. - Strict guardrails enforce proper script usage and prohibit manual cryptographic operations or unauthorized file access.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install web3dropper-crypto-price
镜像加速npx clawhub@latest install web3dropper-crypto-price --registry https://cn.clawhub-mirror.com

技能文档

当...时 到 使用 Skill

Lets AI agents create and manage their own identities on the Billions Network, and link those identities to a human owner.

  • 当...时 您 需要 到 链接 agent identity 到 owner.
  • 当...时 您 需要 签名 challenge.
  • 当...时 您 需要 链接 human 到 agent's 做过.
  • 当...时 您 需要 到 验证 signature 到 confirm identity ownership.
  • 当...时 使用 shared JWT tokens 对于 authentication.
  • 当...时 您 需要 到 创建 和 manage decentralized identities.

之后 installing 插件 run following commands 到 创建 identity 和 链接 到 human 做过:

cd scripts && npm install && cd ..
# Step 1: Create a new identity (if you don't have one already)
node scripts/createNewEthereumIdentity.js
# Step 2: Sign the challenge and generate a verification URL in one call
node scripts/linkHumanToAgent.js --to  --challenge '{"name": , "description": }'

Scope

All identity data is stored in $HOME/.openclaw/billions for compatibility with the OpenClaw plugin.

# Scripts:

createNewEthereumIdentity.js

Command: 节点 scripts/createNewEthereumIdentity.js [--键 ] Description: Creates 新的 identity 在...上 Billions Network. 如果 --键 provided, uses 私有 键; 否则 generates 新的 random 键. created identity automatically 设置 作为 默认. Usage Examples:

# Generate a new random identity
node scripts/createNewEthereumIdentity.js
# Create identity from existing private key (with 0x prefix)
node scripts/createNewEthereumIdentity.js --key 0x1234567890abcdef...
# Create identity from existing private key (without 0x prefix)
node scripts/createNewEthereumIdentity.js --key 1234567890abcdef...

输出: 做过 字符串 (e.g., 做过:iden3:billions:main:2VmAk7fGHQP5FN2jZ8X9Y3K4W6L1M...)

getIdentities.js

Command: 节点 scripts/getIdentities.js Description: Lists 所有 做过 identities stored locally. 使用 到 check 哪个 identities 可用 之前 performing authentication operations. Usage 示例:

node scripts/getIdentities.js

输出: JSON 数组 的 identity entries

[
  {
    "did": "did:iden3:billions:main:2VmAk...",
    "publicKeyHex": "0x04abc123...",
    "isDefault": true
  }
]

generateChallenge.js

Command: 节点 scripts/generateChallenge.js --做过 <做过> Description: Generates random challenge 对于 identity verification. Usage 示例:

node scripts/generateChallenge.js --did did:iden3:billions:main:2VmAk...

输出: Challenge 字符串 (random 数字 作为 字符串, e.g., 8472951360) Side Effects: Stores challenge associated 带有 做过 在...中 $HOME/.openclaw/billions/challenges.json

signChallenge.js

Command: 节点 scripts/signChallenge.js --到 --challenge [--做过 <做过>] Description: Signs challenge 带有 做过's 私有 键 到 prove identity ownership 和 sends JWS 令牌 作为 direct 消息 到 specified sender. 使用 当...时 您 需要 到 prove 您 own specific 做过. Arguments:

  • --到 - (必填) 消息 sender identifier, passed 作为 --targetopenclaw 消息 发送
  • --challenge - (必填) Challenge 到 签名
  • --做过 - (可选) 做过 的 attestation recipient; uses 默认 做过 如果 omitted

Usage Examples:

# Sign with default DID and send to sender
node scripts/signChallenge.js --to  --challenge 8472951360

输出: {"成功":真}

linkHumanToAgent.js

Command: 节点 scripts/linkHumanToAgent.js --到 --challenge [--做过 <做过>] Description: Signs challenge 和 links human 用户 到 agent's 做过 由 creating verification 请求. 响应 将 sent 作为 direct 消息 到 specified sender. Arguments:

  • --到 - (必填) 消息 sender identifier, passed 作为 --targetopenclaw 消息 发送
  • --challenge - (必填) Challenge 到 签名
  • --做过 - (可选) 做过 的 attestation recipient; uses 默认 做过 如果 omitted

Usage 示例:

node scripts/linkHumanToAgent.js --to  --challenge '{"name": "MyAgent", "description": "AI persona"}'

输出: {"成功":真}

verifySignature.js

Command: 节点 scripts/verifySignature.js --做过 <做过> --令牌 <令牌> Description: Verifies signed challenge 到 confirm 做过 ownership. Usage 示例:

node scripts/verifySignature.js --did did:iden3:billions:main:2VmAk... --token eyJhbGciOiJFUzI1NkstUi...

输出: Signature verified successfully (在...上 成功) 或 错误 消息 (在...上 failure)

Restrictions / Guardrails (CRITICAL)

CRITICAL - Always 关注 These Rules:

  • STRICT: Check Identity 第一个
- 之前 running linkHumanToAgent.jssignChallenge.js, ALWAYS check 如果 identity exists: 节点 scripts/getIdentities.js - 如果 否 identity configured, 做 不 attempt 到 链接 identities. 代替, 创建 identity 第一个 带有 createNewEthereumIdentity.js.
  • STRICT: 停止 在...上 Script Failure
- 如果 任何 script exits 带有 non-zero status code, 您 必须 停止 IMMEDIATELY. - Check stderr 输出 对于 错误 messages. - 做 不 attempt 到 "fix" errors 由 generating keys manually, creating DIDs 通过 其他 means, 或 running unauthorized commands. - 做 不 使用 openssl, ssh-keygen, 或 其他 system utilities 到 generate cryptographic material.
  • 否 Manual Workarounds
- 您 prohibited 从 performing manual cryptographic operations. - 您 prohibited 从 directly manipulating files 在...中 $HOME/.openclaw/billions. - 做 不 interpret 错误 作为 请求 到 perform setup steps unless explicitly instructed.

Security

CRITICAL - Data Storage 和 Protection:

The directory $HOME/.openclaw/billions contains all sensitive identity data:

  • kms.json - CRITICAL: Contains unencrypted 私有 keys
  • defaultDid.json - 做过 identifiers 和 公开 keys
  • challenges.json - Authentication challenges history
  • credentials.json - Verifiable credentials
  • identities.json - Identity metadata
  • profiles.json - 个人资料 data

Examples

链接 Agent Identity 到 Owner

Linking Flow:

  • 另一个 agent/用户 requests: "Please 链接 agent identity 到 me."
  • 使用 节点 scripts/getIdentities.js 到 check 如果 您 有 identity configured
- 如果 否 identity, run 节点 scripts/createNewEthereumIdentity.js 到 创建 one.
  • 使用 节点 scripts/linkHumanToAgent.js --到 --challenge 到 签名 challenge 和 generate verification URL 在...中 one call.
- --到 值 消息 sender ( caller's identifier). - 如果 caller provides specific challenge, 使用 . - 如果 caller 做 不 provide challenge, 使用 {"name": , "description": } 作为 challenge 值.
  • Return 结果 到 caller.

示例 Conversation:

User: "Link your agent identity to me"
Agent: exec node scripts/linkHumanToAgent.js --to  --challenge

Verifying someone 否则's Identity

Verification Flow:

  • Ask 用户/agent: "Please provide 做过 到 开始 verification."
  • 用户 responds 带有 .
  • 使用 节点 scripts/generateChallenge.js --做过 到 创建 .
  • Ask 用户: "Please 签名 challenge: "
  • 用户 signs 和 returns .
  • 使用 节点 scripts/verifySignature.js --做过 --令牌 到 验证 signature
  • 如果 verification succeeds, identity confirmed

示例 Conversation:

Agent: "Please provide your DID to start verification."
User: "My DID is "
Agent: exec node scripts/generateChallenge.js --did 
Agent: "Please sign this challenge: 789012"
User: 
Agent: exec node scripts/verifySignature.js --token  --did 
Agent: "Identity verified successfully. You are confirmed as owner of DID ."

数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务