Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This identity skill appears purpose-aligned rather than malicious, but it should be reviewed because it stores signing keys in plaintext and can sign and send identity proofs with weak confirmation boundaries.

Review before installing. Use a fresh low-value identity key, avoid passing real private keys on the command line, restrict filesystem access to $HOME/.openclaw/billions, and require explicit human confirmation of the recipient, challenge, and DID before running signing or linking scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This utility module includes a capability to send outbound messages by invoking an external CLI, which is outside the declared identity/authentication scope of the skill. Even though execFileSync is used with argument arrays and there is some input validation, the hidden messaging capability creates an unexpected side effect that could be abused by other parts of the skill to exfiltrate data or contact arbitrary recipients without clear user awareness.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code executes an external command, `openclaw message send`, to deliver direct messages, which is unrelated to the stated identity-management functionality. This creates a covert outbound communication channel inside a security-sensitive skill, increasing the risk of abuse for spam, unauthorized contact, or data leakage if attacker-controlled data reaches this function.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly states that private keys are stored in `kms.json` unencrypted, owner-readable only, under the user's home directory. Storing long-lived private keys unencrypted materially increases the chance of identity compromise from local malware, backup leakage, shared-host exposure, or accidental file disclosure, and the documentation does not present this with a prominent security warning or mitigation guidance.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation guidance is broad enough that a generic request like "link your agent identity to me" could trigger a security-sensitive identity-linking flow without strong preconditions or trust checks. In an identity skill, this is especially risky because it can cause an agent to bind identity claims or send signed proof material to an untrusted requester.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation encourages passing raw private keys directly on the command line, which is highly sensitive because command-line arguments may be exposed in shell history, process listings, logs, or telemetry. In this skill's context, the secret controls decentralized identity ownership, so disclosure could allow full impersonation and unauthorized signing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code initializes key management using a file-backed keystore (`kms.json`), which means private key material is persisted to local disk. In an agent skill handling authentication and signing, local plaintext or weakly protected key storage substantially increases the risk of credential theft from host compromise, backups, logs, or multi-tenant environments.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill persists credentials, identities, and profiles to local JSON files without any visible access control, encryption, or disclosure. This creates a local confidentiality risk because identity artifacts may contain sensitive personal, organizational, or wallet-linked metadata that can be harvested by other local users, malware, or accidental file exposure.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code stores default DID and challenge data on disk, which can expose identifiers and authentication challenge state to unauthorized local access. Challenge persistence is especially sensitive because leaked or tampered challenge state can interfere with authentication flows, correlation, or replay protections depending on how the stored data is later consumed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code persists private key material directly to a JSON file on disk and also exposes those keys through list(), creating a plaintext at-rest secret storage mechanism. In an agent identity/authentication skill, compromise of the filesystem, backups, logs, or accidental file disclosure would directly expose signing keys and allow identity impersonation or fraudulent signature generation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The subprocess-based direct-message send occurs without any built-in user-facing warning, confirmation, or disclosure in this utility function. In an agent skill context, silent outbound actions are more dangerous because they can be triggered indirectly by higher-level logic, making it easier to perform unauthorized communications or leak sensitive data without the operator realizing it.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The script signs attacker-controlled challenge content from --challenge and immediately sends the resulting token to an arbitrary recipient via direct message without any explicit confirmation, disclosure, or destination validation. In an identity/authentication skill, a signed authentication response is security-sensitive; this flow can be abused by a caller to trick the agent into producing and transmitting a valid auth token to an unintended party, enabling replay or unauthorized authentication depending on the verifier's protocol.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code sends the user-supplied DID to a third-party resolver service (`resolver.privado.id`) during signature verification without any disclosure, consent, or local-only option visible in this file. Because DIDs can be identifying and this occurs in an identity-management skill, the behavior creates a real privacy leak and metadata exposure risk, especially if sensitive agent or user identities are being verified.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal