ClawHub

Identity 2.0.4

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed identity and x402 payment helper that stores local signing keys; no hidden exfiltration or automatic payment behavior was found, but users should enable key encryption and confirm payments carefully.

Install only if you want an agent identity tool that can also sign x402 payments. Before creating or importing identities, set BILLIONS_NETWORK_MASTER_KMS_KEY, use a dedicated no-funds identity key, and restrict ~/.openclaw/billions permissions. Treat every phase-two x402 action as a real payment decision: review the resource URL, asset, amount, network, and selected DID before approving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares runtime requirements for Node and references network-dependent identity/payment flows, plus optional access to a sensitive environment variable, but it does not declare permissions corresponding to environment and network use. This weakens reviewability and sandbox/policy enforcement because operators cannot clearly see that the skill may read secrets from the environment and communicate with external services.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This skill file is materially misaligned with the declared skill purpose: instead of verified agent identity/KYA functions, it documents a payment-execution workflow for 402-gated resources. Capability drift like this is dangerous because it can cause an agent or reviewer to trust and enable financial operations under the guise of an identity skill, weakening user consent and policy controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented ability to sign payments and fetch paid resources is not justified by the stated verified-identity purpose, creating an unjustified high-risk capability expansion. In practice, this can bypass least-privilege expectations: operators may approve an identity skill while unintentionally granting transaction-signing and outbound payment behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The list() method returns every stored private key in raw form, turning a metadata/enumeration API into a bulk secret-exfiltration primitive. In an agent identity context, these keys likely control signing authority and impersonation capabilities, so any caller with access to this method can extract all identities at once.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell the user to install and run the skill before clearly warning that it may create and persist private key material under $HOME/.openclaw/billions, and that kms.json may be plaintext if BILLIONS_NETWORK_MASTER_KMS_KEY is not set. That creates a real risk of users generating long-lived credentials on disk without understanding the exposure or enabling encryption first.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation explicitly instructs users to pass a raw private key on the command line, which commonly exposes secrets through shell history, process listings, logs, and telemetry. In an identity-management skill, this is especially sensitive because compromise of the private key can permanently compromise the agent's DID and any authentication or attestation actions performed with it.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The documentation states that generated challenges are stored in a predictable local file path but provides no warning about local persistence, retention, or access control implications. While the challenge itself is usually less sensitive than a private key, writing verification data to disk can leak operational metadata, enable replay/debugging misuse if mishandled, or expose identity-verification activity to other local users or processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown instructs the agent to execute payment flows and transmit payment signatures to external resources, but it does not prominently warn about financial cost, irreversible signing effects, or network disclosure of payment-related data. That omission can lead users to authorize actions without understanding that real funds, signatures, and request metadata may be transmitted off-system.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The workflow instructs the agent to enumerate identities and silently fall back to a default DID without a clear privacy warning. Even if no payment occurs yet, accessing and selecting identity material can disclose or normalize use of a default identity without sufficient user awareness or context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists the full payment challenge JSON to a predictable file in the system temp directory without setting restrictive permissions, encryption, or an expiry/deletion mechanism. In multi-user environments or on systems where temp directories are broadly readable, this can expose payment metadata, resource URLs, attestation requirements, or other challenge contents to other local users or processes, and the file can also be tampered with before phase 2 consumes it.

Missing User Warnings

High
Confidence
97% confidence
Finding
When no master key is present, _encodeEntry stores privateKeyHex directly on disk in plaintext. For agent identity software handling authentication keys, this is dangerous because filesystem compromise, backups, logs, or accidental sharing of kms.json would immediately expose keys that enable signing and impersonation.

Credential Access

High
Category
Privilege Escalation
Content
- `kms.json` — **CRITICAL**: Contains private keys (encrypted if `BILLIONS_NETWORK_MASTER_KMS_KEY` is set, otherwise plaintext)
- `defaultDid.json` — DID identifiers and public keys
- `challenges.json` — Authentication challenges history
- `credentials.json` — Verifiable credentials
- `identities.json` — Identity metadata
- `profiles.json` — Profile data
Confidence
78% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal