ClawHub

neyrizk

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real decentralized identity skill, but it needs review because it stores and uses private identity keys with weak defaults and broad signing behavior.

Install only if you trust the publisher and understand that this skill creates persistent local identity keys. Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating identities, avoid importing funded or high-value wallet keys, do not pass private keys directly on the command line, and treat any request to sign a challenge as an authentication action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to pass an Ethereum private key via a command-line argument, which is commonly exposed through shell history, process listings, terminal logs, CI logs, and telemetry. Because this skill manages decentralized identity keys, disclosure of that private key can enable full identity takeover, fraudulent attestations, and irreversible compromise of linked on-chain or DID-backed identities.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell users to create a new identity and automatically set it as default without an upfront warning that keys and identity metadata will be persistently stored under $HOME/.openclaw/billions. That creates a real security and operational risk because users may unintentionally overwrite workflow assumptions, change the active identity, or leave private keys stored locally, potentially in plaintext when the master KMS key is unset.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples direct users to run linking and verification flows that write challenges, identities, and related authentication artifacts to local storage, but they do not warn that this data may persist and may be sensitive. In an identity skill, silent persistence increases the chance of leaking authentication history, correlation data, and local identity state to other processes or future users of the same environment.

Missing User Warnings

High
Confidence
97% confidence
Finding
When no master key is present, _encodeEntry stores privateKeyHex directly to disk with provider set to plain. This creates a high-risk secret exposure condition because wallet or identity private keys can be recovered by any local user, process, backup system, or log/artifact collection that can read kms.json. In an agent identity skill, these keys are especially sensitive because compromise enables impersonation and unauthorized proof generation.

Missing User Warnings

High
Confidence
96% confidence
Finding
The list() method returns each alias together with the raw private key material, unnecessarily broadening secret exposure beyond targeted retrieval. Any caller with access to this API can enumerate and exfiltrate all stored keys in one operation, which is particularly dangerous for an identity/authentication skill where keys directly control agent identity and proof signing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script will sign an attacker-controlled challenge using a stored DID/KMS key as soon as it is invoked, with no confirmation, policy check, origin validation, or challenge schema validation. In an agent setting, that creates a signing oracle: any component that can pass arbitrary JSON to this script may obtain valid authentication proofs or attestations tied to the operator’s DID, which can enable impersonation or unauthorized authentication flows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal