Back to skill
Skillv1.0.1
ClawScan security
holdcc_eth · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 30, 2026, 4:43 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description and runtime instructions expect JavaScript scripts and local key management, but the package contains only SKILL.md (no scripts), asks you to run npm/node (which would fetch/run code) and store private keys under $HOME/.openclaw/billions — these mismatches and secret-handling implications warrant caution and code-level review before use.
- Guidance
- Do not run the provided commands or grant the agent autonomous execution until you verify the actual code. Ask the publisher for the missing scripts, package.json, and a dependency list; review those files for network calls, telemetry, and how private keys are stored/encrypted. If you must test, do so in an isolated environment (air-gapped or throwaway VM) and require use of a secure KMS/vault (verify script supports BILLIONS_NETWORK_MASTER_KMS_KEY). Refuse to run npm install blindly — inspect package.json and lockfile first. If you cannot obtain or audit the script source, treat the skill as untrusted because it would generate and hold private keys and could exfiltrate them.
- Findings
[NO_CODE_FILES_PRESENT] unexpected: The regex-based scanner had nothing to analyze because the bundle contains only SKILL.md. This is NOT expected for a skill whose instructions reference multiple scripts (scripts/*.js) — the missing code prevents auditing of actual behavior.
Review Dimensions
- Purpose & Capability
- noteThe stated purpose (manage DIDs, sign/verify challenges) matches requiring 'node'. However the SKILL.md references multiple scripts (scripts/*.js) and npm install, but the skill bundle contains no code files. That makes the capability claim incoherent in practice: the skill cannot perform its stated actions as delivered.
- Instruction Scope
- concernInstructions tell the agent/operator to run 'npm install' and various node scripts that create and sign keys, store challenges, and write identity data to $HOME/.openclaw/billions. Those operations involve generating and storing private keys and producing JWS tokens. The SKILL.md forbids manual key manipulation and external crypto tools, but gives no details on storage encryption or network endpoints used by the scripts. Because the actual scripts are not present, their behavior (network requests, telemetry, key handling, dependency list) cannot be audited.
- Install Mechanism
- concernThere is no install spec in the registry (instruction-only). Yet runtime instructions require 'npm install' inside a scripts directory — which would fetch code from registries. Since no package.json or scripts are included, it's unclear what will be installed or from where. In practice this implies that running the steps could pull arbitrary packages; without included code you cannot verify what would be executed.
- Credentials
- noteThe skill declares no required environment variables, but the embedded metadata lists an optional BILLIONS_NETWORK_MASTER_KMS_KEY. The functionality requires private key generation and local storage, which are sensitive; requiring no credentials is plausible but unusual given the sensitive operations. The lack of explicit, required KMS or vault integration means private keys may be stored locally and unencrypted unless the missing scripts implement encryption — unknown without code.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide config changes or other skills' credentials. It writes to a single user-scoped path ($HOME/.openclaw/billions) per its documentation, which is expected for per-user identity storage, though the security of that storage is unknown.