ClawHub

Agent Desapetc 123

Security checks across malware telemetry and agentic risk

Overview

This skill matches its identity purpose, but it creates long-lived signing keys and can store them unencrypted by default, so it needs careful review before use.

Review before installing. Use this only if you intend to create a persistent agent identity, set BILLIONS_NETWORK_MASTER_KMS_KEY before creating or importing any identity, do not import a production wallet private key, restrict access to $HOME/.openclaw/billions, and require explicit confirmation before any signing or human-agent linking action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The list() method returns every stored private key in raw form, turning a metadata/enumeration API into a bulk secret-exfiltration primitive. In an identity and proof-generation skill, exposing signing keys is especially dangerous because compromise enables impersonation, fraudulent attestations, and persistent account takeover.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Bulk retrieval of all raw private keys is an unjustified capability for this component and greatly increases blast radius: any caller with access to list() can immediately extract all identities managed by the store. Given the skill's purpose of agent identity verification, those keys are the core trust anchors, so disclosure directly enables identity spoofing and unauthorized proof generation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that private keys are stored in `kms.json` as raw hex when `BILLIONS_NETWORK_MASTER_KMS_KEY` is not set, but the warning is not prominent where key creation/import is documented. For an identity-management skill, this is dangerous because users may generate or import real Ethereum private keys and unknowingly persist them unencrypted on disk, enabling account compromise if the host or home directory is accessed.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The example invocation allows the skill to trigger on generic requests like linking an agent identity, with no requirement for explicit confirmation, destination validation, or trust boundary checks. In an identity-management skill, broad triggers can cause unintended signing or identity-linking operations that have real authentication consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup instructions tell users to create and manage decentralized identities, including private-key-backed identities, without a prominent warning that this generates sensitive long-lived authentication material. Users may follow the workflow without understanding the security implications, storage location, or recovery risks.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation states that `kms.json` may contain private keys in plaintext if `BILLIONS_NETWORK_MASTER_KMS_KEY` is not set, but it does not make this an operational blocker or provide a strong warning before use. Plaintext storage of identity keys materially increases the chance of credential theft, impersonation, and long-term compromise of the agent identity.

Missing User Warnings

High
Confidence
97% confidence
Finding
When no master key is present, _encodeEntry silently falls back to provider: plain and writes the private key directly to disk. This insecure-by-default behavior can expose long-lived signing keys to filesystem compromise, backups, logs, or accidental sharing, which is particularly severe for an identity system where stolen keys allow impersonation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal