DEV Community: Samer Ismail The latest articles on DEV Community by Samer Ismail (@sameris). https://dev.to/sameris https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3783295%2Ff2c1c987-dda4-4b5d-a0f5-05a0affb778d.png DEV Community: Samer Ismail https://dev.to/sameris en How OpenClaw Handles Agent Identity Today (It Doesn't) And How to Fix It Samer Ismail Sat, 21 Feb 2026 00:43:14 +0000 https://dev.to/sameris/how-openclaw-handles-agent-identity-today-it-doesnt-and-how-to-fix-it-32id https://dev.to/sameris/how-openclaw-handles-agent-identity-today-it-doesnt-and-how-to-fix-it-32id <h1> How OpenClaw Handles Agent Identity Today (It Doesn't) </h1> <p>OpenClaw is one of the most popular open-source AI agent frameworks — 180K+ GitHub stars, massive community, thriving skill marketplace.</p> <p>But here's the thing: <strong>there's no way to verify who an agent actually is</strong>.</p> <p>Any agent can call any skill. Any agent can claim to be any other agent. There's no authentication, no identity layer, no accountability.</p> <p>This isn't a theoretical problem. Cisco's security research team documented cases of third-party agent skills performing <strong>data exfiltration</strong> from host applications. The agent ecosystem has an identity crisis.</p> <h2> What "No Identity" Actually Means </h2> <p>Let's make this concrete. Here's what happens today when an agent calls a skill in OpenClaw:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Agent "TrustedBot" → calls email-send skill → sends email Agent "MaliciousBot" (pretending to be "TrustedBot") → calls email-send skill → sends spam </code></pre> </div> <p>The skill marketplace can't tell the difference. There's no cryptographic proof of who's calling. No audit trail. No way to revoke access to a specific agent.</p> <p>Compare this to how web apps work:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Web Apps</th> <th>AI Agents (today)</th> </tr> </thead> <tbody> <tr> <td><strong>Identity</strong></td> <td>OAuth / JWT / session cookies</td> <td>Nothing</td> </tr> <tr> <td><strong>Verification</strong></td> <td>"Sign in with Google"</td> <td>Agent says "trust me bro"</td> </tr> <tr> <td><strong>Revocation</strong></td> <td>Token blocklists, session invalidation</td> <td>N/A</td> </tr> <tr> <td><strong>Risk scoring</strong></td> <td>IP reputation, fraud detection</td> <td>N/A</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Every action linked to verified user</td> <td>Agent handles are unverified strings</td> </tr> </tbody> </table></div> <p>Agents are where web apps were in 1995 — before cookies, before OAuth, before any identity standard existed.</p> <h2> The Three Attack Vectors </h2> <h3> 1. Agent Impersonation </h3> <p>Without identity verification, nothing stops <code>EvilAgent</code> from claiming to be <code>ProductionAssistant</code>. If your skill marketplace gates features by agent handle (a string), that's trivially spoofable.</p> <h3> 2. Skill Abuse Without Accountability </h3> <p>When an agent calls a sensitive skill (send email, process payment, access database), there's no verified identity attached to that call. If something goes wrong, you have no audit trail.</p> <h3> 3. Data Exfiltration via Malicious Skills </h3> <p>Cisco found this in the wild: third-party skills that appear legitimate but siphon data back to an attacker. Without verified agent identity, you can't even implement basic trust policies like "only allow verified agents to use this skill" or "block agents with a bad track record."</p> <h2> The Fix: Cryptographic Agent Identity </h2> <p>We built <a href="https://github.com/zerobase-labs/agent-passport" rel="noopener noreferrer">Agent Passport</a> — an open-source identity verification layer specifically for AI agents. Think "Sign in with Google, but for Agents."</p> <p>Here's the flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────┐ ┌──────────────────┐ ┌───────────┐ │ Agent │ │ Agent Passport │ │ Skill │ │ (OpenClaw) │ │ (Identity) │ │ Gateway │ └──────┬──────┘ └────────┬─────────┘ └─────┬─────┘ │ │ │ │ 1. Register (pubkey) ──▶ │ │◀── Agent ID ───────────│ │ │ │ │ │ 2. Challenge ──────────▶ │ │◀── Nonce ──────────────│ │ │ │ │ │ 3. Sign + Exchange ────▶ │ │◀── JWT Token ──────────│ │ │ │ │ │ 4. Call skill ──────────┼─────────────────────────▶ │ (with JWT) │ │ │ │◀── 5. Verify token ────│ │ │──── Identity + risk ───▶│ │ │ │ │◀── 6. Skill result ────┼─────────────────────────│ </code></pre> </div> <p>Key properties:</p> <ul> <li> <strong>Ed25519 signatures</strong> — unforgeable without the private key</li> <li> <strong>Private key never leaves the agent</strong> — zero-knowledge authentication</li> <li> <strong>JWT tokens</strong> — 60-minute TTL, instantly revocable</li> <li> <strong>Risk scoring</strong> — every agent gets a 0-100 score (allow / throttle / block)</li> <li> <strong>Single-use nonces</strong> — replay attacks are impossible</li> </ul> <h2> Before vs. After: Code Comparison </h2> <h3> Before: Any Agent Can Call Any Skill </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Current OpenClaw skill handler — no identity check</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/skills/email-send/execute</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Who is calling this? No idea. The agent says it's "TrustedBot"</span> <span class="c1">// but anyone can set that header.</span> <span class="kd">const</span> <span class="nx">agentName</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-agent-name</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// unverified string</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">to</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">subject</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">sent</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> After: Only Verified Agents Can Call Skills </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">requireVerifiedAgent</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./verify-middleware</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// With Agent Passport — cryptographic identity verification</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/skills/email-send/execute</span><span class="dl">'</span><span class="p">,</span> <span class="nf">requireVerifiedAgent</span><span class="p">(),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// req.verifiedAgent is cryptographically proven</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">agentId</span><span class="p">,</span> <span class="nx">handle</span><span class="p">,</span> <span class="nx">risk</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">verifiedAgent</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Agent </span><span class="p">${</span><span class="nx">handle</span><span class="p">}</span><span class="s2"> (risk: </span><span class="p">${</span><span class="nx">risk</span><span class="p">.</span><span class="nx">score</span><span class="p">}</span><span class="s2">) sending email`</span><span class="p">);</span> <span class="c1">// Block high-risk agents from sensitive operations</span> <span class="k">if </span><span class="p">(</span><span class="nx">risk</span><span class="p">.</span><span class="nx">score</span> <span class="o">&gt;</span> <span class="mi">30</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Risk too high for email skill</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">to</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">subject</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">sent</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">verifiedBy</span><span class="p">:</span> <span class="nx">agentId</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>The middleware handles all the cryptographic verification. Your skill code just reads <code>req.verifiedAgent</code>.</p> <h2> Agent-Side Integration: 6 Lines </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AgentClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@zerobase-labs/passport-sdk</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AgentClient</span><span class="p">({</span> <span class="na">baseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://agent-passport.onrender.com</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Register once</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">agentId</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">register</span><span class="p">({</span> <span class="na">handle</span><span class="p">:</span> <span class="dl">'</span><span class="s1">my-openclaw-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">publicKeyB64</span><span class="p">:</span> <span class="nx">myPublicKey</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Authenticate when you need to call skills</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">({</span> <span class="nx">agentId</span><span class="p">,</span> <span class="na">sign</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">nonce</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Sign the challenge — private key NEVER leaves this process</span> <span class="kd">const</span> <span class="nx">sig</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ed</span><span class="p">.</span><span class="nf">signAsync</span><span class="p">(</span><span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">nonce</span><span class="p">),</span> <span class="nx">privateKey</span><span class="p">);</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">sig</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Use the token when calling skills</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://skill-gateway.example.com/skills/web-search/execute</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-Agent-Token</span><span class="dl">'</span><span class="p">:</span> <span class="nx">token</span> <span class="p">},</span> <span class="c1">// ...</span> <span class="p">});</span> </code></pre> </div> <h2> App-Side Verification: 3 Lines </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AgentPassportClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@zerobase-labs/passport-sdk</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">passport</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AgentPassportClient</span><span class="p">({</span> <span class="na">baseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://agent-passport.onrender.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">appId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-app-id</span><span class="dl">'</span><span class="p">,</span> <span class="na">appKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-app-key</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">valid</span> <span class="o">&amp;&amp;</span> <span class="nx">result</span><span class="p">.</span><span class="nx">risk</span><span class="p">.</span><span class="nx">action</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">allow</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Proceed — this agent is who they claim to be</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Verified: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">agentId</span><span class="p">}</span><span class="s2">, risk score: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">risk</span><span class="p">.</span><span class="nx">score</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> What This Enables </h2> <p>With verified agent identity, skill marketplaces can:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Capability</th> <th>Without Identity</th> <th>With Agent Passport</th> </tr> </thead> <tbody> <tr> <td><strong>Gate sensitive skills</strong></td> <td>Anyone can call any skill</td> <td>Only verified, low-risk agents</td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>"some agent did something"</td> <td>"agent <code>ag_abc123</code> (handle: <code>research-bot</code>) called <code>email-send</code> at 14:32:07"</td> </tr> <tr> <td><strong>Rate limit by identity</strong></td> <td>By IP (easily bypassed)</td> <td>By cryptographically verified agent ID</td> </tr> <tr> <td><strong>Trust tiers</strong></td> <td>None</td> <td>new (cautious) → established (normal) → trusted (full access)</td> </tr> <tr> <td><strong>Instant revocation</strong></td> <td>Can't target specific agents</td> <td>Revoke one agent's token in milliseconds</td> </tr> <tr> <td><strong>Reputation</strong></td> <td>Hope for the best</td> <td>Risk score based on age, behavior, verification history</td> </tr> </tbody> </table></div> <h2> Try It Now </h2> <p>Agent Passport is fully deployed and free to use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install the SDK</span> npm <span class="nb">install</span> @zerobase-labs/passport-sdk <span class="c"># Run the full end-to-end demo</span> git clone https://github.com/zerobase-labs/agent-passport <span class="nb">cd </span>agent-passport/examples/openclaw-integration/e2e-demo npm <span class="nb">install </span><span class="nv">PASSPORT_URL</span><span class="o">=</span>https://agent-passport.onrender.com <span class="se">\</span> <span class="nv">PASSPORT_APP_ID</span><span class="o">=</span>your-id <span class="se">\</span> <span class="nv">PASSPORT_APP_KEY</span><span class="o">=</span>your-key <span class="se">\</span> npx tsx demo.ts </code></pre> </div> <p><strong>Live API:</strong> <a href="https://agent-passport.onrender.com" rel="noopener noreferrer">https://agent-passport.onrender.com</a><br><br> <strong>Portal:</strong> <a href="https://agent-passport.vercel.app" rel="noopener noreferrer">https://agent-passport.vercel.app</a><br><br> <strong>GitHub:</strong> <a href="https://github.com/zerobase-labs/agent-passport" rel="noopener noreferrer">https://github.com/zerobase-labs/agent-passport</a><br><br> <strong>npm:</strong> <a href="https://www.npmjs.com/package/@zerobase-labs/passport-sdk" rel="noopener noreferrer">@zerobase-labs/passport-sdk</a></p> <p>The entire stack runs on free tiers — Neon (Postgres), Upstash (Redis), Render (API), Vercel (Portal). $0/month.</p> <h2> The Bigger Picture </h2> <p>Every major platform had its "identity moment":</p> <ul> <li> <strong>Web:</strong> cookies (1994) → OAuth (2007) → "Sign in with Google"</li> <li> <strong>Mobile:</strong> device IDs → app-scoped tokens → biometrics</li> <li> <strong>APIs:</strong> API keys → OAuth2 → JWT + JWKS</li> </ul> <p>AI agents are at the pre-cookies stage. There's no standard for agent identity. Agent Passport is an attempt to build that standard — open source, MIT licensed, built for the community.</p> <p>If you're building with AI agents, the identity gap will bite you eventually. Better to have the infrastructure ready before the first real attack, not after.</p> <p>Star the repo. Try the demo. Build on top of it. Or just steal the architecture — it's MIT licensed.</p> <p><a href="https://github.com/zerobase-labs/agent-passport" rel="noopener noreferrer"><strong>→ github.com/zerobase-labs/agent-passport</strong></a></p> ai security opensource typescript