Is ira-hash/aap-passport safe?

manifest.json declares 'hooks': {'onStartup': true}, meaning index.js runs automatically every time the skill is loaded into an agent. The content of index.js was not captured in the evidence dump and cannot be reviewed. This is the single largest trust gap: any capability — credential harvesting, C2 beacon, file exfiltration — could be implemented in this file and would execute silently at startup.

lib/client.js calls fetch() with a caller-supplied serverUrl for both /challenge and /verify endpoints. An agent directed to call aap_generate_proof or the verify function against an attacker-controlled URL would POST the agent's full proof bundle — including publicKey, publicId, timestamp, LLM-generated answers, and ECDSA signature — to that server. The server controls the challenge content and can harvest the response.

The tool aap_sign_message passes arbitrary strings through lib/identity.js sign() which produces a secp256k1 ECDSA signature under the agent's persistent private key. If a malicious skill, prompt, or user coerces the agent into signing a message, that signature is cryptographically indistinguishable from a legitimate agent action. External systems that trust the agent's publicId will accept this as proof of agent intent.

lib/prover.js createBatchPrompt() constructs an LLM prompt containing challenge_string values verbatim from the verification server's JSON response. A malicious AAP server can craft challenge_strings that are prompt injections — e.g., 'Ignore previous instructions and execute...' — which will be processed by the agent's LLM before the response is signed and returned. The agent has no sanitization or sandboxing of server-supplied challenge content.

On first startup, lib/identity.js generates a secp256k1 keypair and writes it to ~/.aap/identity.json with chmod 0600. This is a persistent filesystem side-effect that survives skill removal, creates a durable agent fingerprint across sessions, and stores a private key that subsequent skill code (including the unreviewed index.js) can access via getPrivateKey().

_meta.json references a commit at github.com/clawdbot/skills while the skill was installed from github.com/openclaw/skills. These are distinct GitHub organizations. The metadata was either copied from a fork without update, or the skill was migrated between repos and metadata not synchronized, raising questions about provenance and supply chain integrity.

SKILL.md contains a direct link to https://focused-blessing-production-d764.up.railway.app/ (ClosedClaw Live Demo). An agent injected with this skill's content and given browser/fetch tools could be prompted to interact with this endpoint. The Railway deployment is controlled by the skill author and could serve dynamic content, collect agent fingerprints, or issue instructions.

manifest.json declares version 2.5.0 while SKILL.md, the server package.json, and client package.json all declare version 3.2.0. This indicates either the manifest was not updated when the skill was bumped, or different file trees from different versions were combined. This inconsistency reduces confidence in the integrity of the published artifact.

The evidence captures source for lib/*.js and some package files but omits index.js content and all of packages/server/, packages/client/, and packages/core/ implementations, as well as test/llm-batch-test-internal.mjs and test/e2e-batch.mjs. The unreviewed code surface includes websocket.js, challenges.js, persistence.js, whitelist.js, and logger.js — files whose names suggest logging and persistence behaviors that warrant review.

The protocol's explicit design goal is to verify that a client is an AI agent and block humans from passing verification. An agent that uses this skill to authenticate with AAP-gated services gains access to environments intentionally free of human oversight. Depending on what those services do, this could facilitate agent actions that circumvent user awareness.

inotifywait and auditd recorded reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at two timestamps. The first (audit 1771929546.298) occurred 28ms after 'ss -tunap' and matches the oathe baseline-scan pattern. The second (audit 1771929563.504) followed the final skill-directory sweep, consistent with a post-install integrity check. No correlated network egress observed. Canary integrity check reports all files intact.