awiki-agent-did-message

Security checks across malware telemetry and agentic risk

Overview

The skill’s identity and messaging purpose is real, but it grants persistent background messaging access and automatically decrypts or forwards private message content with several under-scoped controls.

Review this carefully before installing. It is best suited for users who intentionally want an always-on DID/E2EE messaging agent and understand that it can install a background listener, modify OpenClaw config/heartbeat files, store identity keys and JWTs, auto-process encrypted inbox items, and forward message content through local OpenClaw hooks. Prefer Git/HTTPS installation over the HTTP zip path, disable or avoid realtime/heartbeat auto-decryption if you do not want private messages surfaced automatically, and inspect the OpenClaw channel-forwarding and SQL query behavior before using it with sensitive accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (22)

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The file promises that upgrading does not modify existing local data, yet elsewhere states that installation and upgrade may run schema migrations. Contradictory safety claims can mislead users into authorizing upgrades without backups or review, and migrations by definition alter stored state or its structure.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: This is a real logic flaw: when processing inbound E2EE protocol messages, the code derives the actual sender as `sender_did` but sends generated protocol responses to the CLI-supplied `peer_did` instead. In a mixed inbox or when an attacker injects protocol traffic, this can misroute acks/errors/rekey traffic to the wrong party, causing session confusion, message delivery failures, state corruption, and possible metadata leakage about active sessions or failed decryptions.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The listener enumerates active OpenClaw gateway sessions and forwards inbound message-derived content to every discovered external channel/target pair, rather than to an explicitly authorized recipient set bound to the current conversation or user consent. In an identity/E2EE messaging skill, this creates a real cross-channel data exfiltration path: private or decrypted messages can be disclosed to unrelated sessions such as Telegram/Feishu targets merely because they were recently active.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger list includes very broad everyday terms like identity, profile, content, publish, inbox, send message, follow, group, search, and find user. Overbroad triggers can cause unintended invocation in unrelated conversations, which is especially risky here because the skill can perform network actions, persistent state changes, and proactive behaviors.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The guide explicitly says to recommend people whenever they show merely 'potential as a valuable connection' and sets no minimum threshold for member or message evidence. In a skill that supports identity, discovery, follow, and direct messaging, this can drive over-broad profiling and outreach based on weak signals, increasing privacy, spam, and unwanted-contact risks at scale.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file explicitly makes E2EE auto-processing mandatory during heartbeat and states that unread encrypted content may be decrypted into plaintext for the current result. That creates a confidentiality risk because sensitive encrypted messages can be exposed automatically in routine status checks without an explicit per-message user action or meaningful consent boundary.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list is extremely broad and includes common terms like identity, content, publish, search, and find user. That increases the chance the skill activates in unrelated conversations and then performs identity, inbox, or network-related workflows the user did not explicitly intend.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document mandates automatic status checks at session start, 15-minute heartbeats, listener setup, and default E2EE processing, but does not surface at that point that these actions cause network access and message processing. This creates a consent and transparency gap where an agent may contact remote services or process inbox contents without a fresh, explicit user request.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation includes ready-to-run SQL examples that directly retrieve sensitive local data such as message content, contact notes, recommendation reasons, group membership snapshots, and relationship history from a shared SQLite store. In this skill context, that is more dangerous because the skill manages identity, inboxes, group communication, and default-on E2EE state for multiple local DIDs, so examples that normalize broad plaintext inspection can lead agents or operators to expose private communications and metadata without explicit privacy guardrails.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Decrypted plaintext is printed directly to stdout, which commonly ends up in terminal scrollback, shell history capture tools, CI logs, process supervisors, or other local logging/observability systems. That defeats part of the operational value of E2EE by exposing sensitive message contents at the endpoint without an explicit opt-in or strong warning.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Echoing the original plaintext after sending exposes secret content locally even though the transport path is encrypted. In environments with stdout mirroring, terminal recording, centralized logs, or multi-user systems, this creates avoidable plaintext disclosure and undermines the confidentiality expectations of an E2EE messaging tool.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code automatically invokes `get_service_manager().start()` when the listener is not running, with no consent, disclosure, or policy gate in this file. In an agent skill that advertises proactive listener setup, heartbeat behavior, and default-on messaging/E2EE processing, silently starting a background service expands execution and network exposure in a way users may not expect, which can undermine least surprise and operational control.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script prints the first part of the refreshed JWT to stdout, which exposes bearer-token material in terminals, shell history captures, CI logs, remote session recordings, and centralized log collectors. Even partial token disclosure is unnecessary and risky because JWTs often contain sensitive claims, can aid correlation or debugging abuse, and in some environments the full token may be recoverable from adjacent logging or copy/paste workflows.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script persists highly sensitive material including JWTs and multiple private keys immediately after registration, but provides no explicit warning, consent checkpoint, permission hardening, or indication of where/how securely the data will be stored. In an agent identity/E2EE context, compromise of these saved credentials can enable account takeover, DID impersonation, and decryption/signing abuse, so silent storage materially increases operational risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This is a real vulnerability. The exported state includes raw private key PEM material for both the signing key and X25519 key, which means any caller, log sink, crash dump, backup, or persistence layer handling the exported object can recover long-term private keys and fully impersonate the agent or decrypt future session setup traffic. In this skill’s context, that is especially dangerous because the component manages agent identity and E2EE messaging, so key exposure directly undermines authentication, confidentiality, and non-repudiation across the agent’s communications.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The WebSocket client places the JWT bearer token directly into the connection URL query string. Query parameters are commonly exposed in logs, proxy access logs, browser history, monitoring systems, exceptions, and referrer-like telemetry, so a leaked token could let an attacker authenticate as the agent until expiry. In an identity and encrypted messaging skill, this is especially sensitive because the token protects DID-linked messaging access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code sends a structured payload containing sender/receiver identifiers, message type, group ID, and raw message content to an external HTTP hook, and also requests downstream delivery to external channels. In the context of a DID identity and E2EE inbox skill, exporting decrypted message content and metadata to external webhook infrastructure without clear in-code consent gating or minimization is a serious privacy and confidentiality issue.

Ssd 3

Medium

Confidence: 94% confidence
Finding: This instruction tells the agent to directly surface decrypted E2EE message plaintext as part of normal heartbeat handling. Even if decryption is technically possible, exposing plaintext automatically defeats the expectation that encrypted inbox contents are only revealed when the user intentionally opens or requests them.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The report format includes a template that prints decrypted plaintext from encrypted messages directly into session output. That increases accidental disclosure risk through logs, shared terminals, model context retention, and unintended display to anyone with access to the conversation.

Ssd 3

High

Confidence: 97% confidence
Finding: The document states that `check_status.py` auto-processes E2EE messages by default and decrypts unread encrypted messages into plaintext for heartbeat results. Making this mandatory creates systematic exposure of confidential message content in a background workflow, which is especially risky for an identity/messaging skill handling private communications.

Ssd 4

Medium

Confidence: 89% confidence
Finding: The autonomous discovery mode preauthorizes follow actions and saving contacts, which are sensitive social actions with privacy and reputational consequences. This lowers the barrier for the agent to build relationship graphs and persist third-party data based on inferred value rather than per-action user consent.

Ssd 4

Medium

Confidence: 91% confidence
Finding: The 9-step discovery workflow systematizes profiling members, reading profiles and group messages, then escalating to follows, DMs, and local contact storage. In context, this is a gradual social-engineering-capable pipeline that can automate persuasive outreach and relationship building at scale if misused.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal