ClawHub

Project Desapetc

Security checks across malware telemetry and agentic risk

Overview

This identity skill is mostly coherent, but it handles agent private keys and signing authority with insecure defaults that users should review before installing.

Install only if you are comfortable with an agent creating and using a persistent decentralized identity. Configure BILLIONS_NETWORK_MASTER_KMS_KEY before creating identities, avoid passing existing private keys on the command line, protect $HOME/.openclaw/billions like a secret store, and only allow the agent to sign challenges or link identities when you trust the verifier and understand what is being signed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documentation clearly directs use of Node-based scripts that access environment-sensitive storage under $HOME and perform network-backed identity operations. This mismatch is dangerous because downstream systems or reviewers may underestimate the skill's ability to read sensitive local identity material and communicate with external services.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The list() method returns every stored private key in raw form, turning a metadata/enumeration API into a bulk secret-exfiltration primitive. In an identity and authentication skill, private keys are the root of trust, so exposing them directly enables impersonation, unauthorized signing, and compromise of all managed identities if this method is reachable by other components or logs.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code supports bulk plaintext export of the entire key store via list(), which is broader and more dangerous than the stated identity-verification purpose. A single call can disclose all private keys at once, greatly increasing blast radius and making theft, accidental logging, or downstream misuse far more severe than individual key access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The list() API returns every stored private key in raw form, not just aliases or metadata. In an identity/authentication skill, exposing private key material through a bulk enumeration method greatly expands the blast radius of any caller confusion, misuse, or compromise, enabling full key theft and impersonation rather than simple key lookup.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation guidance is broad enough to match common identity and authentication requests, including signing challenges and use of shared JWT tokens, without strong exclusions or confirmation requirements. In an agent setting, this can cause the skill to trigger in situations where it signs data, links identities, or performs trust-establishing actions too readily.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to create an identity and link it to a human DID, which results in persistent storage of sensitive identity data, but it does not present a prominent warning or explicit consent step beforehand. This is risky because users may unknowingly create long-lived credentials and local key material with privacy and security consequences.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code sends the full authorization request object to an external URL shortener service without any visible user disclosure or consent. In an identity-linking flow, this request can contain sensitive metadata such as verifier identifiers, callback information, scope details, and challenge-related data, creating a privacy leak and expanding trust to a third party that can log, correlate, or tamper with requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists KMS-backed key material to a local file via `KeysFileStorage("kms.json")`, which creates a clear confidentiality risk if the host filesystem is accessed by other users, malware, backups, or logs. In an agent-identity skill, these keys are highly sensitive because compromise can enable impersonation, signing of proofs, and loss of trust in issued identities.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The runtime stores credentials, identities, and profile data in local JSON files without any visible safeguards or disclosure. While persistence itself can be legitimate, these artifacts may contain sensitive identity metadata and credential contents that can be harvested or tampered with if local storage is exposed.

Missing User Warnings

Low
Confidence
76% confidence
Finding
DID and challenge data are also persisted locally, which expands the sensitive footprint on disk. Challenge material can be security-relevant in authentication flows, and local storage without protection may enable replay support, disclosure of identifiers, or tampering depending on how the files are later consumed.

Missing User Warnings

High
Confidence
98% confidence
Finding
When no master key is configured, _encodeEntry() silently stores private keys on disk in plaintext. Because these are authentication keys for decentralized identity, plaintext persistence substantially lowers the bar for compromise through local file access, backups, container image leakage, developer workstations, or misconfigured volumes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to pass a raw Ethereum private key on the command line, which is sensitive secret material that can be exposed through shell history, process listings, logs, screenshots, or copied command transcripts. In the context of an identity-management skill that controls cryptographic identities, compromise of that key directly enables identity takeover and unauthorized signing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to create and manage decentralized identities and later discloses that the associated private keys may be stored in plaintext when BILLIONS_NETWORK_MASTER_KMS_KEY is not set. That creates a real secret-handling weakness because an agent or user may follow the documented workflow without realizing key material is left unprotected on disk, enabling identity theft, unauthorized signing, and persistent compromise of the DID.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code sends the full authorization request payload to an external URL shortener service, which may include sensitive identity-verification metadata, scopes, callback information, and verifier context. Even if the shortener is described as trusted, this introduces unnecessary third-party exposure, logging, and correlation risk without any visible user consent or disclosure in this flow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code initializes key storage with a file-backed store ("kms.json"), which means sensitive private key material is persisted to local disk. In an agent skill handling decentralized identity and authentication proofs, unprotected local persistence increases the risk of credential theft, host compromise impact, backup leakage, and accidental sharing across environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Credential, identity, profile, DID, and challenge data are written to local JSON files without any visible consent, warning, or protection controls in this code path. Because this skill is explicitly for agent-human identity linkage and proof generation, these files may contain sensitive identifiers, attestations, and challenge artifacts that could be harvested or reused if the host is multi-tenant or compromised.

Missing User Warnings

High
Confidence
98% confidence
Finding
When no master key is available, _encodeEntry() silently falls back to provider: "plain" and writes private keys unencrypted to disk. Because this component stores cryptographic identity keys for agents, plaintext-at-rest storage materially increases the risk of credential theft, agent impersonation, and persistent compromise from filesystem access, backups, logs, or misconfigured environments.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This script will sign attacker-supplied challenge JSON using KMS-backed DID key material with no explicit validation of the challenge origin, no policy checks on what is being signed, and no interactive confirmation before the cryptographic operation. In an agent skill context, that makes unauthorized proof generation easier if an upstream caller can feed arbitrary challenge data, potentially allowing impersonation or unintended attestations tied to the agent's identity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends a user-supplied DID to a third-party resolver service over the network without any disclosure, consent, or local-only option. Even if the DID is not secret by design, resolver queries can expose user activity, correlate identities, and leak verification attempts to an external provider, which is especially relevant in an identity-verification skill where metadata privacy matters.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal