Back to skill

Security audit

DryptoBillions

Security checks across malware telemetry and agentic risk

Overview

This identity skill is coherent, but it stores private keys unencrypted and can send signed identity material to caller-provided recipients without a strong confirmation step.

Install only on a trusted single-user machine if you are comfortable with this skill creating or importing an Ethereum private key and storing it unencrypted under $HOME/.openclaw/billions. Verify every --to recipient before linking or signing, protect backups and local filesystem access, and rotate or abandon identities if kms.json is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This utility module includes an outbound messaging primitive that is unrelated to the stated authentication/identity-management purpose and can be invoked silently by other parts of the skill. Even though execFileSync is used with argument arrays and some input validation is present, the function still enables external communication, creating a covert exfiltration or unsolicited-contact channel in a package that users would not expect to send messages.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code imports child_process.execFileSync and shell-quote parsing to support execution of an external messaging CLI, which adds a powerful side-effect capability not justified by the skill's identity/authentication description. While the current use avoids classic shell injection by not invoking a shell, the presence of subprocess-based outbound messaging materially expands the attack surface and enables data to be sent off-agent through local tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly documents storage of private keys in 'kms.json' as unencrypted, owner-readable files under the user's home directory, but provides no prominent warning, threat model, or compensating controls. If that directory is exposed through local compromise, backups, multi-user access, or agent/plugin filesystem overreach, an attacker can steal identity keys and permanently impersonate the user or agent.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation example is broad enough that ordinary conversational text like 'Link your agent identity to me' could trigger privileged identity-linking behavior. In this skill, that behavior can cause signing operations and outbound direct messages, so accidental or prompt-injected activation has meaningful security consequences.

Missing User Warnings

High
Confidence
96% confidence
Finding
The workflow encourages immediate identity creation and linking before clearly warning that the underlying storage contains unencrypted private keys. Because these operations establish long-lived identity material, users may unknowingly create sensitive credentials on disk without understanding the exposure if the host, home directory, backups, or logs are compromised.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script imports raw private key material into the KMS-backed key store and persists it, but gives the user no explicit notice that the supplied or generated Ethereum private key will be stored. In an identity-management skill, persisting key material is often necessary, but undisclosed storage of highly sensitive secrets increases the risk of accidental long-term retention, backup leakage, or later compromise of the KMS/storage layer.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code sends a generated pairing URL directly to an arbitrary recipient provided via the --to argument, but there is no confirmation, disclosure, or recipient validation in this file before transmitting it. In an identity-linking workflow, a pairing URL can initiate sensitive authentication or account-linking actions, so silent delivery to the wrong party can enable social engineering, misbinding of identities, or unintended disclosure of verification material.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code initializes key storage with `new KeysFileStorage("kms.json")`, which persists private key material to a local file. Storing long-lived cryptographic secrets unencrypted on disk increases the risk of credential theft through local compromise, backup leakage, shared workspace exposure, or accidental inclusion in artifacts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Credential and identity data are persisted to `credentials.json`, `identities.json`, and `profiles.json` without any visible notice or access-control handling in this file. These files may contain sensitive identity metadata and credentials that could be harvested by other local users, malware, insecure backups, or misconfigured deployments.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The runtime stores DID state and challenge data in `defaultDid.json` and `challenges.json` on disk. While less sensitive than private keys, challenge state and DID mappings can still aid session replay analysis, correlation of identities, or leakage of operational metadata if local storage is exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code stores private cryptographic keys directly in a JSON file on disk and also exposes them through list(), with no encryption, access control, or warning about the sensitivity of the material. In an identity/authentication skill, plaintext private key storage is especially dangerous because compromise of the host, workspace, backups, or logs can allow attackers to impersonate identities and produce valid signatures.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
sendDirectMessage performs an external side effect by sending a message through the openclaw CLI without any user-facing disclosure, confirmation, or visible audit at the execution point. In an agent skill context, silent outbound messaging is more dangerous because it can be used to exfiltrate identifiers, proofs, or other sensitive workflow data under the guise of authentication operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script signs an authentication challenge with the local DID and immediately sends the resulting token to an arbitrary recipient provided via --to, without any confirmation, recipient validation, or display of what is being authorized. In an identity/authentication skill, this is security-sensitive because a user or calling agent could be tricked into signing and transmitting a valid proof to an attacker-controlled destination, enabling phishing-style authentication replay or misuse of the DID-bound assertion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.