Abdullahi AI Agent

Security checks across malware telemetry and agentic risk

Overview

This identity skill is purpose-aligned, but it creates and stores long-lived signing keys with insecure defaults that users should review before installing.

Install only if you are comfortable with this skill creating or importing identity private keys and storing them under $HOME/.openclaw/billions. Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating identities, treat kms.json as highly sensitive, avoid importing valuable production Ethereum keys, and review the Billions linking URL flow before using it with a real human identity.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The list() method returns each alias together with the raw private key material, which unnecessarily exposes secrets to any caller that only needs metadata. In an identity/proof-generation skill, these keys are the root of trust for attestations and authentication proofs, so accidental logging, API exposure, or misuse of this method can directly enable impersonation and unauthorized signing.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: When no master key is configured, _encodeEntry() silently stores private keys in plaintext on disk using provider: "plain". This creates a straightforward secret-at-rest compromise path: anyone with filesystem, backup, container, or artifact access can recover the keys and use them to forge identity proofs or impersonate agents.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to generate and use Ethereum private keys before prominently warning that, unless BILLIONS_NETWORK_MASTER_KMS_KEY is configured, those keys are stored in plaintext on disk. For an identity-management skill, this is dangerous because compromise of local storage immediately exposes long-lived private keys that enable identity takeover, fraudulent proofs, and unauthorized signing.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad and include common identity and authentication tasks, making accidental invocation likely in ordinary conversations. In this skill's context, accidental invocation is more dangerous because the documented actions can create identities, sign challenges, and initiate linking flows tied to persistent credentials.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to create identities and link them without a clear up-front warning that private keys and identity artifacts will be stored under the user's home directory, potentially in plaintext if the master KMS key is unset. In an identity-management skill, that omission is especially risky because users may unknowingly create long-lived sensitive material on disk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code sends the full authorization request payload to an external URL shortener service, which introduces a third-party trust dependency for identity-verification data. Even if the request is not a secret in the cryptographic sense, it can contain sensitive metadata about the verification flow, callback endpoint, scopes, and linkage context; the shortener can log, retain, correlate, or tamper with the resulting URL without any user warning or explicit consent. In an identity-linking skill, this is more dangerous because the payload is directly tied to human-agent association and proof workflows, increasing privacy and phishing risks.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The code initializes key storage with a file-backed keystore (`kms.json`), which means private key material is persisted locally. For an identity/authentication skill, storing long-lived signing keys on disk without any evident encryption, permission hardening, or user disclosure increases the risk of key theft and account/identity compromise if the host is shared or the filesystem is exposed.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The module persists credentials, identities, profiles, DIDs, and challenge data to local JSON files. In the context of a decentralized identity skill, these artifacts can contain sensitive personal, authentication, or correlation data, so unprotected local persistence can leak private information or enable replay/impersonation if challenge material is recovered.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The code not only permits plaintext private-key storage, but does so without any warning, confirmation, or explicit opt-in, increasing the likelihood that operators will unknowingly deploy insecurely. In the context of decentralized identity tooling, undisclosed plaintext storage is especially dangerous because compromise of these keys undermines authentication, attestation integrity, and non-repudiation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal