ClawHub

V Identity Ilhant34

Security checks across malware telemetry and agentic risk

Overview

This identity skill appears to do what it claims, but it handles private keys and identity-linking actions in ways users should review carefully before installing.

Install only if you trust this publisher and the Billions identity flow. Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating or importing an identity, protect $HOME/.openclaw/billions from backups or shared users, avoid passing private keys on the command line, and confirm any request before letting the agent create, link, or sign with an identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while explicitly requiring a Node runtime, optional access to an environment secret, and performing identity/network operations. This mismatch can mislead operators and downstream policy engines about the skill's actual capabilities, reducing scrutiny over access to secrets and external services.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The suggested trigger phrase, "Please link your agent identity to me," is broad natural-language instruction that could be invoked unintentionally or by a third party in a normal conversation. In an identity-management skill, actions that initiate linking or proof workflows should require explicit, narrowly scoped commands and confirmation, otherwise the agent may start a sensitive authentication flow without sufficient user intent verification.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance is broad enough that common identity- or authentication-related user requests could trigger actions such as signing challenges, linking identities, or creating DIDs. In an identity-management skill, ambiguous triggering is risky because these actions can create persistent identity records or generate authentication artifacts without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill accepts a raw private key via command line and describes local storage of identity material, but does not prominently warn that command-line arguments may be exposed through shell history, process listings, logs, or transcripts. In this context, the risk is heightened because the same document later states keys may be stored in plaintext if a master KMS key is not set.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically creates a new Ethereum-based DID and immediately persists it as the default identity with `isDefault: true`, without any confirmation, dry-run mode, or warning to the operator. In an identity-management skill, this can silently alter local identity state, causing accidental identity replacement, operational confusion, or downstream use of the wrong DID in attestations and authentication flows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script accepts raw private key material from arguments and otherwise generates and retains a private key in process memory to derive the identity seed and signer. In a decentralized identity tool, direct CLI handling of private keys is dangerous because command-line arguments may be exposed via shell history, process listings, logs, or wrapper tooling, which could allow theft of the underlying Ethereum identity and full compromise of the agent's authentication authority.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the full authorization request payload to an external URL shortener service, which can expose sensitive verification metadata, challenge details, scope parameters, and callback information to a third party. In an identity-linking skill, this is especially risky because the payload relates to human-to-agent identity verification and may enable tracking, correlation, or misuse if the shortener is compromised, logs requests, or is malicious.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code initializes key storage with a file-backed store (`kms.json`), which persists cryptographic key material to local disk. Storing private keys unencrypted or without explicit operator awareness increases the risk of key theft from the host filesystem, backups, logs, or container volumes, especially in an agent skill handling identity proofs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Credentials, identities, and profiles are persisted to local JSON files, which can contain sensitive identity and attestation data. In the context of a decentralized identity skill, local plaintext storage materially raises privacy and impersonation risks if the filesystem is accessible to other users, compromised processes, or leaked backups.

Missing User Warnings

Low
Confidence
80% confidence
Finding
DID and challenge state are written to local files, which may expose authentication workflow state or enable replay/operational abuse if an attacker can read or tamper with those files. While less sensitive than private keys, challenge data in an authentication system still has security relevance and should not be treated as harmless cache data.

Missing User Warnings

High
Confidence
98% confidence
Finding
When no master key is configured, _encodeEntry falls back to provider:"plain" and writes the raw privateKeyHex to kms.json on disk. For a decentralized identity/agent authentication skill, plaintext private key storage is highly sensitive because compromise of the file enables identity theft, unauthorized signing, and persistent impersonation of the agent or linked identity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The list() method returns every alias together with the full private key material, unnecessarily exposing secrets through an enumeration API. In an agent identity system, this broad disclosure increases the blast radius of any misuse, logging leak, plugin misuse, or unauthorized caller, because one call can exfiltrate all managed private keys.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal