ClawHub

Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised agent identity workflow, but it handles long-lived identity keys and human-agent linking with risky defaults that users should review carefully.

Install only if you intentionally want Billions agent identity creation and human-agent linking. Configure BILLIONS_NETWORK_MASTER_KMS_KEY before creating identities, avoid importing valuable wallet keys with --key, treat $HOME/.openclaw/billions as sensitive, and understand that linking may create a persistent association between a human identity and the agent DID.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill requires Node.js scripts that handle identity creation, key material, local filesystem state, and network-backed verification flows, yet it declares no explicit permissions. This creates a transparency and policy-enforcement gap: an agent or platform may invoke code with network and environment access without clear user awareness or sandbox constraints.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'When to use this Skill' section uses broad triggers like linking identities, signing challenges, verifying ownership, and using shared JWT tokens, which are common tasks that could cause the skill to activate in overly general situations. In an identity skill that can create DIDs and sign challenges, over-broad invocation increases the chance of unintended sensitive operations being performed without sufficiently specific user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs users to create identities and link human DIDs, and later states that sensitive identity data is stored under $HOME/.openclaw/billions, with private keys potentially in plaintext if no master key is set. Documenting and encouraging these operations without an explicit consent prompt or warning before key generation/storage can lead to silent creation of long-lived credentials and exposure of highly sensitive secret material.

Missing User Warnings

High
Confidence
98% confidence
Finding
This is a true vulnerability: if no master key is configured, _encodeEntry stores private keys with provider: "plain" and writes the raw key material to kms.json. That creates a clear secret-at-rest exposure path through filesystem access, backups, logs, container layers, or accidental commits, and there is no visible enforcement or warning preventing insecure deployment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends a user-supplied DID to a third-party resolver service during signature verification without any disclosure, consent flow, or local-only option. Because DIDs can be privacy-sensitive identifiers and this skill explicitly links agents to human identities, this creates metadata leakage to an external party and allows correlation of verification activity, which is especially relevant in an identity-focused context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal