Skillv1.0.0

ClawScan security

Pairing Agent Core · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 10:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match an identity/linking purpose, but there are important inconsistencies and security-relevant design choices (undocumented optional master key, default plaintext private-key storage, and automated network callbacks/shortener) that the user should understand before installing.
Guidance: This skill generally does what it says (create/manage DIDs and generate pairing URLs), but there are a few things to check before you install or run it: - Private-key storage: by default the skill writes keys to $HOME/.openclaw/billions/kms.json. Unless you set BILLIONS_NETWORK_MASTER_KMS_KEY, the keys will be stored as plain hex strings. If you plan to use this skill, either set a strong BILLIONS_NETWORK_MASTER_KMS_KEY or keep the skill in an isolated environment. - Undeclared env var: the SKILL metadata declares no required env vars, but README and code use BILLIONS_NETWORK_MASTER_KMS_KEY. Treat that omission as an inconsistency — the skill will behave differently depending on whether that env var is set. - Network endpoints & callbacks: linking creates a JWS token and constructs a callback URL that points to attestation-relay.billions.network (and uses identity-dashboard.billions.network as a URL shortener). The process will expose signed attestation data and URLs to those endpoints as part of the verification flow. Verify you are comfortable with those domains and that they belong to the expected Billions/Privado infrastructure before sending attestations. - Dependency install: the instructions run npm install (package-lock present). Audit dependencies (or run installs in an environment you control) if you require higher assurance. - Operational guidance: if you proceed, set BILLIONS_NETWORK_MASTER_KMS_KEY to a strong secret (preferably supplied via a secure skill config or secret manager), verify and back up your keys as needed, and consider running the skill in a dedicated account/container so any plaintext secrets are not mixed with other workloads. If you want higher assurance, ask the publisher for: an explicit list of required env vars in the skill metadata, a threat model describing what specific attestations are sent to attestation-relay, and confirmation that attestation-relay and identity-dashboard are controlled by the Billions project (DNS/cert proof or repo/docs).

Review Dimensions

Purpose & Capability: noteName/description align with the code: scripts create/manage DIDs, sign challenges, and produce pairing URLs. Required binary is only node, which is appropriate. The included npm dependencies and package-lock are expected for an identity toolkit (iden3/polygonid/ethers).
Instruction Scope: concernRuntime instructions tell the agent to run npm install and Node scripts that create keys, persist them under $HOME/.openclaw/billions, and perform network calls (resolver.privado.id, identity-dashboard.billions.network, attestation-relay.billions.network, wallet.billions.network). The SKILL.md / README prohibit ad-hoc cryptographic work, but the scripts will write private keys to disk and create JWS tokens and callback URLs — behaviour that exposes key material and attestations to the defined network endpoints. The SKILL.md did not declare the optional BILLIONS_NETWORK_MASTER_KMS_KEY env var used in the code.
Install Mechanism: noteNo install spec in skill metadata, but package.json/package-lock are included and SKILL.md instructs running npm install in the scripts directory. That will fetch many npm packages (from npm registry) — a normal practice for Node tools, but it is a moderate-risk action compared to instruction-only skills because it pulls code at install time.
Credentials: concernDeclared requirements list no env vars, but the code/README rely on an optional BILLIONS_NETWORK_MASTER_KMS_KEY for encrypting private keys. If that env var is not set, private keys are persisted in plaintext in kms.json. The README suggests setting the master key in the skill config (which itself is a secret storage decision). The skill reads process.env.HOME and an optional master key — no other unrelated credentials are requested. However, the omission of the BILLIONS_NETWORK_MASTER_KMS_KEY from declared env requirements is an incoherence and a security risk because users may not realise keys will be stored unencrypted by default.
Persistence & Privilege: noteSkill persists cryptographic material and identity metadata to $HOME/.openclaw/billions (kms.json, identities.json, defaultDid.json, challenges.json, etc.). It does not request always: true or attempt to modify other skills. Persistent storage of private keys is inherent to its purpose, but storing keys in user home (and plain text if master key is not set) is a material persistence/privilege concern users should be aware of.