ClawHub
Back to skill

Security audit

Verified Agent Identity New

Security checks across malware telemetry and agentic risk

Overview

This identity skill fits its stated purpose, but it needs Review because it handles reusable private keys and identity proofs with weak defaults and incomplete consent/disclosure boundaries.

Install only if you are comfortable with this skill managing agent identity keys and creating signed identity proofs. Set a strong BILLIONS_NETWORK_MASTER_KMS_KEY before creating or importing identities, avoid using valuable wallet keys with the --key CLI option, restrict access to $HOME/.openclaw/billions, and run linking/signing commands only when you intentionally want to send that proof through the Billions/Privado services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The list() method returns each alias together with the corresponding private key material, effectively turning a metadata enumeration API into a secret-export API. Any caller with access to this method can retrieve all loaded private keys in one operation, which materially increases the blast radius of misuse or compromise.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code supports bulk export of every stored private key via a simple list() call, which is difficult to justify for an identity-verification storage component. In the context of decentralized identity and authentication proofs, exposure of multiple private keys can enable impersonation, unauthorized signing, and broad compromise of agent identities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents that private keys are stored as raw hex in `kms.json` when `BILLIONS_NETWORK_MASTER_KMS_KEY` is not set, yet the installation and identity-creation flow does not place a prominent warning before users are instructed to generate identities. In an identity-management skill, this is security-relevant because agents and users may create long-lived signing keys that become recoverable by any local compromise, backup leak, or accidental file exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly tells users to provide a private key via `--key` on the command line. Command-line arguments are commonly exposed through shell history, audit logs, CI logs, terminal scrollback, and process listings (`ps`), so this guidance can directly leak the wallet private key used for the identity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the full authorization request object to an external URL shortener, which introduces a third party into a sensitive identity-verification and pairing flow. Even if the request is not a direct private key secret, it contains verification metadata, callback information, and proof-request details that can be logged, retained, correlated, or modified by the shortener service, creating privacy, integrity, and phishing risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code initializes key storage with a file-backed store (`kms.json`), which means private key material is persisted to disk. Storing authentication keys locally without encryption, permission hardening, or explicit user disclosure increases the risk of credential theft from the host filesystem, backups, or accidental commits.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Credential, identity, profile, DID, and challenge data are persisted to local JSON files, which can expose sensitive identity metadata and authentication state if the filesystem is accessed by another user or process. In an agent identity skill, this is more dangerous because these artifacts can be used to correlate identities, replay flows, or assist account compromise.

Missing User Warnings

High
Confidence
98% confidence
Finding
When no master key is present, _encodeEntry() stores private keys on disk in plaintext under provider: "plain" with no warning, failure, or secure fallback. This means a configuration mistake or missing environment variable silently downgrades key protection, allowing anyone with filesystem access, backups, or logs to recover signing keys.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends a user-supplied DID to a third-party resolver service, which can disclose sensitive identifier usage and metadata to an external party without any explicit notice or opt-in at this call site. In an identity-verification skill, DIDs may be linkable to real-world identities or agent activity, so remote resolution can create privacy leakage and tracking risk even if the code is functionally correct.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.