Back to skill
Skillv1.0.1
VirusTotal security
holdcc_eth · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:44 AM
- Hash
- ee0462d594c216ed9d2b52b081598df613495d6cd4967c6984130a5d2896ea20
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: verified-agent-identity-3 Version: 1.0.1 The skill manages sensitive Ethereum private keys and explicitly states in SKILL.md that they are stored in plaintext within '$HOME/.openclaw/billions/kms.json' unless an optional environment variable is set. While the bundle describes a decentralized identity (DID) framework, the practice of storing unencrypted private keys in a predictable local directory is a high-risk vulnerability. Additionally, the 'Billions Network' and 'ERC-8004' are not widely recognized industry standards, and the instructions require the agent to handle raw private key hex strings via command-line arguments, increasing the risk of credential exposure in process logs.
- External report
- View on VirusTotal