ClawHub

Billions Network - Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This identity skill is mostly transparent and purpose-aligned, but it stores agent identity keys in plaintext and can send signed identity proofs without strong confirmation controls.

Install only if you are comfortable with this skill creating or importing an agent identity key, storing it locally in plaintext, and sending signed proofs or verification links through OpenClaw messages. Use a dedicated low-value identity, avoid pasting private keys into chat or command lines, restrict access to $HOME/.openclaw/billions, and verify the recipient and challenge before running sign or link commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly uses environment-backed local storage and network-capable messaging (`openclaw message send`). This creates a transparency and policy gap: users or hosting platforms may authorize the skill under false assumptions about its actual capabilities, which increases the chance of unintended data exposure or outbound transmission of identity artifacts.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This utility module includes a generic outbound messaging capability by invoking an external CLI (`openclaw message send`) from a shared helper file, which expands the skill's effective behavior beyond its declared identity/authentication scope. Even though `execFileSync` is used with argument arrays and there is some input validation, the main security issue is hidden capability expansion: other parts of the skill can trigger exfiltration, unsolicited messaging, or social-engineering workflows through a reusable helper that is not obviously tied to authentication.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code invokes an external messaging command unrelated to core identity verification, creating a side-effecting execution path that can communicate outside the system boundary. In the context of an agent skill advertised for authentication and identity management, this is more dangerous because users and reviewers may not expect messaging behavior, making it easier to misuse the skill for covert notifications, data leakage, or unauthorized contact despite the limited shell-operator checks.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README instructs users to initialize identity-linking with a very generic natural-language prompt ('Please link your agent identity to me'). Broad trigger phrases can be invoked unintentionally or spoofed by untrusted conversation participants, causing the agent to enter a sensitive identity-verification flow without strong user intent confirmation. In an identity-management skill, ambiguous activation increases the risk of social engineering and unauthorized workflow initiation.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation examples are broad and conversational enough that ordinary user requests like “Link your agent identity to me” could trigger high-risk identity actions without strong confirmation. In this skill, such triggering is especially sensitive because it can cause signing operations and outbound delivery of verification material tied to a DID.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill instructs users to create identities and later admits that sensitive identity data, including unencrypted private keys in `kms.json`, is stored under `$HOME/.openclaw/billions`, but it does not present a clear warning before key creation/use. This is dangerous because operators may unknowingly generate long-lived credentials that are recoverable by other local processes, compromised accounts, backups, or accidental disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script accepts or generates an Ethereum private key, imports it into the KMS-backed key store, and derives a persistent identity from it without any explicit user warning, confirmation, or disclosure about key custody and persistence. In an agent-skill context, this is risky because operators may reasonably assume the key is used transiently, while the skill actually stores highly sensitive material and links it to identity state that could later be abused if the KMS or runtime is shared or compromised.

Missing User Warnings

Low
Confidence
84% confidence
Finding
This code sends a wallet pairing URL directly to an arbitrary recipient via `sendDirectMessage(args.to, url, ...)` without any visible user confirmation, disclosure, or recipient validation in this file. Because the URL encapsulates an authorization request used to link a human identity to an agent, silent or opaque delivery increases the risk of phishing-like consent capture, misdelivery, or unauthorized identity binding if an attacker controls the destination or tricks the operator into sending it.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code persists private key material to a local file via KeysFileStorage("kms.json"), which creates a durable secret at rest that can be stolen by any local user, malware, backup system, or misconfigured workspace sharing the filesystem. In an identity/authentication skill, compromise of KMS-backed keys can enable impersonation, unauthorized signing, and loss of agent identity integrity, making this more serious than ordinary application state persistence.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Credential and identity records are written to local JSON files without any visible protection or disclosure. In an identity-management context, these files may contain sensitive claims, identifiers, or profile metadata that can be harvested for tracking, privacy loss, or follow-on attacks if the host is shared or compromised.

Missing User Warnings

Low
Confidence
76% confidence
Finding
DID and challenge data are persisted locally without explicit disclosure. While less sensitive than private keys, these artifacts can still reveal identity relationships, authentication activity, and challenge/response workflow details that may aid profiling or replay-adjacent abuse if other controls are weak.

Missing User Warnings

High
Confidence
97% confidence
Finding
This code stores private cryptographic keys directly in a local JSON file and also exposes them via list(), which returns raw key material. Plain file-based storage significantly increases the risk of key theft through local compromise, backups, logs, accidental inclusion in source artifacts, or overly permissive filesystem access; in an identity/authentication skill, compromise of these keys can enable impersonation, signing abuse, and loss of trust.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This script signs an authentication challenge and sends the resulting token directly to a recipient without any confirmation, preview, or disclosure to the user in this file. Because the challenge is fully supplied via CLI input and may contain attacker-controlled content, the tool can be used to trick an operator or calling agent into generating and exfiltrating a valid proof to an arbitrary recipient, increasing the risk of confused-deputy abuse and unintended authentication delegation.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal