Back to skill
Skillv1.0.0
VirusTotal security
Project Desapetc · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 6:16 AM
- Hash
- b8f4a79fde772fe4cea358a3dade6ba33cc6e8fc7ebd4993c7c77b87242a67be
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: project-desapetc Version: 1.0.0 The skill manages decentralized identities (DIDs) and handles sensitive private keys, storing them in '$HOME/.openclaw/billions/kms.json'. A significant security concern is that keys are stored in plaintext by default unless the 'BILLIONS_NETWORK_MASTER_KMS_KEY' environment variable is manually configured for AES-256-GCM encryption. Additionally, the skill performs network requests to 'identity-dashboard.billions.network' and 'attestation-relay.billions.network' (in linkHumanToAgent.js) to facilitate identity linking, which involves transmitting signed JWS tokens. While these actions align with the stated purpose, the handling of raw private keys and the potential for plaintext storage on disk represents a high-risk vulnerability.
- External report
- View on VirusTotal