Billionsnetwork Verified Agent Identity 0.0.2

Security checks across malware telemetry and agentic risk

Overview

This identity skill is mostly coherent, but it should be reviewed because it stores unencrypted private keys and can send signed identity proofs without a strong confirmation step.

Install only if you are comfortable with a local plaintext key store under $HOME/.openclaw/billions and with the agent sending signed identity proofs or verification links through OpenClaw direct messages. Treat kms.json, challenge data, tokens, and pairing URLs as sensitive; use this on a trusted single-user machine and confirm the recipient and challenge before any signing or linking action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The utility exposes a function that sends outbound direct messages by invoking an external CLI, which goes beyond the stated identity/authentication purpose of the skill. Even though the code uses execFileSync and applies some input validation, it still enables unsolicited external communications that could be abused by other parts of the skill to exfiltrate data, contact arbitrary recipients, or perform actions the user did not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly states that private keys are stored in `$HOME/.openclaw/billions/kms.json` as unencrypted, owner-readable files, but it does not prominently warn users about the sensitivity of this material or the consequences of compromise. For an identity/authentication skill, disclosure or local theft of these keys would allow full impersonation of the agent identity and unauthorized signing operations.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The example invocation is broad enough that a normal conversational request like 'Link your agent identity to me' could directly trigger signing and outbound identity-linking behavior. In a security-sensitive identity skill, ambiguous activation increases the chance of social-engineering-driven proof generation or unintended identity linkage without adequate confirmation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This section documents signing challenges and sending JWS tokens or verification responses via direct message, but does not prominently warn that authentication artifacts are being transmitted to an external party. Because these artifacts are identity proofs, unclear disclosure increases the risk of accidental exfiltration, replay misuse, or users consenting without understanding the sensitivity of what is being sent.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The script prints the generated pairing URL directly to stdout, and pairing URLs for identity-linking flows often embed tokens, session identifiers, or one-time challenge material. If stdout is visible to other users, captured in shell history, CI logs, terminal recording, or centralized log collection, an unintended party could obtain the URL and interfere with or complete the pairing flow.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code persists key material via a file-backed keystore (kms.json), which creates a local-at-rest secret exposure risk if the host filesystem is accessible, backed up insecurely, or shared across users. In an agent identity/authentication skill, private keys are high-value secrets because compromise enables impersonation, signing, and unauthorized identity operations.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Credential, identity, and profile data are written to local JSON files without any evident encryption, access control hardening, or disclosure. These files may contain sensitive identity artifacts and metadata that can leak user relationships, credentials, or operational state if the local machine or workspace is compromised.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: Persisting DID state and challenge data to disk can expose authentication workflow state, identifiers, or replay-relevant material to local attackers or other processes on the same host. While generally less sensitive than private keys, challenge and DID state can still aid account correlation, session abuse, or debugging-data leakage.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code persists private cryptographic keys directly to a local JSON file as plaintext (`privateKeyHex`) with no encryption, access control, or secure keystore integration. If the host filesystem is read by another local user, malware, backups, logs, or container volume exposure, all stored private keys can be recovered and used to impersonate the agent or sign/derive credentials.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code launches an external subprocess to send a message without any visible confirmation, prompt, or warning to the user. This creates a silent side-effect boundary where higher-level code can trigger external communications non-interactively, increasing the risk of covert messaging, data leakage, or misuse in automated contexts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script signs an authentication challenge using the agent's DID key and immediately transmits the resulting token to an arbitrary recipient specified by --to, but provides no explicit confirmation, recipient validation, or user-facing disclosure of what identity assertion is being sent. In an identity-management skill, this is security-relevant because a caller can unintentionally or deceptively cause the agent to produce and send a valid signed authentication response to another party, increasing the risk of unauthorized identity proofing, replay into another workflow, or exfiltration of a sensitive signed token.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal