Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate decentralized identity skill, but it needs review because it creates persistent signing keys and can store private keys in plaintext by default.

Install only if you intentionally want the agent to have a persistent Billions/iden3 identity. Configure BILLIONS_NETWORK_MASTER_KMS_KEY before creating or importing keys, use a dedicated key rather than a valuable wallet key, protect or back up $HOME/.openclaw/billions carefully, and approve signing or human-linking requests only when you understand what proof will be shared.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The function is explicitly described as creating an in-memory KMS, but it actually uses KeysFileStorage("kms.json"), which persists cryptographic keys to disk. This mismatch can cause developers and operators to handle the component with weaker safeguards than required, increasing the risk of secret disclosure through local file access, backups, logs, or container volume leakage.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: When no master key is configured, _encodeEntry stores privateKeyHex directly on disk under provider='plain', which exposes raw private keys at rest. In an identity/authentication skill, compromise of these keys can let an attacker impersonate agents, forge proofs, or take over identities if the host or filesystem is accessed.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The list() method returns every alias together with the full private key material, unnecessarily broadening exposure of secrets. Any caller with access to this API can enumerate and exfiltrate all stored keys in one operation, which is especially dangerous for a decentralized identity system where keys are the identity root of trust.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This workflow performs security-sensitive actions: it installs and executes a package directly from the registry via `npx ...@latest`, creates a new Ethereum identity, and links a human to an agent using fixed challenge data, all without any approval gate, disclosure, or integrity pinning. In the context of an identity-verification skill, these actions can create or bind credentials unexpectedly and expose users to supply-chain compromise or unintended identity operations if the workflow is manually triggered by a maintainer who does not understand the consequences.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly states that private keys are stored in plaintext unless BILLIONS_NETWORK_MASTER_KMS_KEY is set, but the installation and identity-creation steps appear earlier without a prominent warning. This creates a realistic risk that users will generate long-lived agent identity keys and persist them unencrypted on disk by default, leading to credential compromise if the host or user profile is accessed.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The 'When to use this Skill' triggers are broad and overlap with common identity and authentication tasks, so the skill may be invoked in situations where the user did not intend to use this specific provider or workflow. In an identity skill, accidental invocation is more dangerous because it can trigger signing, identity creation, or linkage flows involving sensitive keys and external attestations.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example request phrase 'Link your agent identity to me' is generic and likely to match many ordinary identity-related conversations, which can cause unintended skill activation. Because this skill can sign challenges and create verifiable identity links, ambiguous invocation raises the chance of executing sensitive operations without clear user intent or provider selection.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill recommends creating and linking identities before surfacing the critical warning that private keys may be stored in plaintext unless a master encryption key is configured. In the context of an identity-management skill handling long-lived signing keys, this omission can lead users to generate sensitive credentials in an insecure local state, exposing account takeover and impersonation risks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code stores KMS, credential, identity, DID, and challenge data in local JSON files without any visible warning, consent flow, or protection mechanism in this module. In an identity/authentication skill, these files may contain highly sensitive material, so silent persistence materially raises the risk of credential theft, impersonation, and privacy compromise if the host environment is shared or insufficiently hardened.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The code silently persists private keys in plaintext if no master key exists, with no warning, prompt, or explicit opt-in from the operator. This creates a hidden insecure default that can leave sensitive authentication material exposed on disk without users realizing the protection is absent.

Credential Access

High

Category: Privilege Escalation
Content: function newDataStorage(ethStateStorage) { return { credential: new CredentialStorage( new IdentitiesFileStorage("credentials.json"), ), identity: new IdentityStorage( new IdentitiesFileStorage("identities.json"),
Confidence: 87% confidence
Finding: credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal