Security audit

Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

The skill’s identity and payment features are coherent, but it needs review because it stores long-lived agent private keys and can sign real payments, with plaintext key storage as the default unless configured otherwise.

Install only if you intend this agent to hold a persistent decentralized identity and potentially sign x402 payments. Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating/importing identities, use a dedicated no-funds key, restrict ~/.openclaw/billions permissions, and require explicit confirmation before any phase-2 payment execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares operational capabilities that rely on environment variables and networked identity/payment flows, but does not declare corresponding permissions. That mismatch can lead users or orchestration systems to grant the skill more access than is visible from the manifest, undermining least-privilege review and increasing the chance of unintended secret or network use. In this context, the skill handles identity material and signing flows, so hidden capability surface is more sensitive than for a generic utility skill.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The document overstates isolation by claiming workspace-scoped tools cannot read or exfiltrate keys simply because they are stored outside the project directory. In practice, any tool or agent process running with the operator's user privileges may still access the home directory, so this guidance can create a false sense of security and lead operators to underestimate key-exfiltration risk.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The list() method returns every stored private key in raw form, effectively creating a bulk secret export API. In an identity/authentication skill, exposing private key material is especially dangerous because compromise enables full impersonation of agents and unauthorized proof generation.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: By returning all aliases paired with their private keys, the storage layer enables bulk extraction of all agent credentials in one call. Given the stated purpose of agent identity verification and authentication proofs, this capability materially increases blast radius and makes total credential theft trivial if the interface is reachable.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly documents passing a raw private key on the command line (`--key <privateKeyHex>`), which is unsafe because command-line arguments may be exposed through shell history, process listings, logs, or telemetry. In an identity-management skill, this is especially sensitive because compromise of the DID private key enables impersonation and unauthorized signing.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The documentation instructs the agent to sign a challenge and send a JWS token without warning that identity proof artifacts may be linkable, replayed in some contexts if validation is weak, or disclosed through chat logs and external systems. Although signing challenges is a normal identity workflow, the lack of privacy and handling guidance can cause users or agents to share sensitive proof material too broadly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to execute phase 2 after user selection, but it does not prominently and explicitly warn that phase 2 authorizes a real payment and can transfer on-chain value. In an agent setting, this omission is dangerous because users may interpret the flow as ordinary API access rather than a financial authorization, increasing the risk of unintended payments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script accepts or generates an Ethereum private key and immediately uses it to derive signing material without any user-facing disclosure that highly sensitive credentials are being handled. In a security/identity skill, silent handling of private keys increases the chance of accidental exposure, unsafe invocation, or operator misuse, especially because the key is then reused as seed material for identity creation.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code creates a wallet connected to a mainnet RPC provider and performs network-backed identity creation without any visible disclosure that external communication will occur. In the context of decentralized identity, this can surprise users by broadcasting metadata or causing on-chain/off-chain registry interactions tied to their key material and identity lifecycle.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script persists the DID and associated public key to storage and marks it as default without warning the user that local state will be modified. While the data stored is not the private key, silent persistence can create privacy, operational, and integrity issues, especially in an identity-management tool where default identity selection may affect later actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: When no master key is configured, _encodeEntry stores privateKeyHex directly on disk under provider: "plain". Plaintext storage of long-lived private keys is highly sensitive because any local file disclosure, backup exposure, or host compromise immediately yields reusable credentials for impersonation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code sends the full authorization request object to an external URL shortener service, which unnecessarily discloses authentication metadata to a third party. In an identity-verification skill, this is particularly sensitive because the payload may contain verifier identity, callback data, requested proof scope, and correlation identifiers that can be logged, retained, or analyzed by the shortener operator or any compromised intermediary.

Credential Access

High

Category: Privilege Escalation
Content: - `kms.json` — **CRITICAL**: Contains private keys (encrypted if `BILLIONS_NETWORK_MASTER_KMS_KEY` is set, otherwise plaintext) - `defaultDid.json` — DID identifiers and public keys - `challenges.json` — Authentication challenges history - `credentials.json` — Verifiable credentials - `identities.json` — Identity metadata - `profiles.json` — Profile data
Confidence: 91% confidence
Finding: credentials.json

Session Persistence

Medium

Category: Rogue Agent
Content: ## Quick Overview - **Identity** — Create Ethereum-based DIDs on the Billions Network, link them to a human owner, and prove ownership via challenge/response signing. - **x402 Payment** — When a server returns `402 Payment Required`, build a signed `PAYMENT-SIGNATURE` header so you can retry the request and gain access. ## Shared Setup
Confidence: 73% confidence
Finding: Create Ethereum-based DIDs on the Billions Network, link them to a human owner, and prove ownership via challenge/response signing. - **x402 Payment** — When a server returns `402 Payment Required`, b

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal