simple-skill-ilya
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its identity-management purpose, but its message-sending helper builds an unsafe shell command that could let a crafted recipient value run unintended local commands, and it stores identity private keys unencrypted.
Review this skill carefully before installing. If you use it, avoid importing a valuable existing wallet key, protect the $HOME/.openclaw/billions directory, verify every recipient before sending proof or pairing links, and consider fixing the unsafe shell command before running it with untrusted sender or target values.
Static analysis
Static analysis findings are pending for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed recipient value could cause the agent's machine to run unintended local commands when it tries to send an identity proof or pairing link.
The helper constructs a shell command with unescaped target and message values. Callers pass CLI --to values into this helper, so a crafted target can inject shell syntax or alter the openclaw command.
execSync(`openclaw message send --target ${target} --message "${message}"`);Replace execSync string execution with execFile/spawn and an argument array, validate allowed target formats, and require user review before sending identity proofs.
Anyone who can read the local OpenClaw Billions directory may be able to use or copy the agent identity's private key.
The skill explicitly stores identity private keys locally and unencrypted. This is central to its DID/identity purpose, but it is sensitive credential material.
`kms.json` - **CRITICAL**: Contains unencrypted private keys
Use a fresh identity-specific key rather than a valuable wallet key, protect file permissions on $HOME/.openclaw/billions, and delete or back up keys intentionally.
If sent to the wrong party, identity proof or pairing information could be exposed or misused for unintended linking attempts.
A signed identity proof is embedded into a verification callback URL and the resulting link is sent by direct message. This is expected for linking, but the recipient and provider data flow are sensitive.
const callback = callbackBase + jws; ... sendDirectMessage(args.to, urlFormating(verificationMessage, url));
Confirm the recipient before sending proofs or pairing links, and treat generated JWS tokens and verification URLs as sensitive until the workflow completes.
Installing dependencies runs code from the npm ecosystem and should be done only if the publisher and package set are trusted.
The skill requires local npm dependency installation even though the registry install spec is absent. The included package-lock reduces ambiguity, but dependency installation is still a supply-chain surface.
cd scripts && npm install
Review scripts/package-lock.json, install in a constrained environment, and prefer npm ci or pinned dependencies where possible.