ClawHub

My Verified Agent

Security checks across malware telemetry and agentic risk

Overview

This identity skill appears purpose-built, but it should be reviewed because it creates and uses long-lived identity keys that can be stored locally in plaintext unless encryption is configured.

Install only if you trust the publisher and need Billions DID identity linking. Before creating any identity, set `BILLIONS_NETWORK_MASTER_KMS_KEY`, protect `$HOME/.openclaw/billions`, avoid importing valuable wallet keys with `--key`, and treat any signing or linking request as a sensitive identity action that should require explicit user intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function name and comment claim an in-memory KMS, but it actually uses a file-backed keystore via `KeysFileStorage("kms.json")`. This mismatch can cause developers and users to assume keys are ephemeral when they are persisted on disk, increasing the chance of accidental key exposure, unsafe backup/sync behavior, or improper operational handling of sensitive material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to create identities and persist sensitive identity artifacts under $HOME/.openclaw/billions, while later noting that private keys may be stored in plaintext if BILLIONS_NETWORK_MASTER_KMS_KEY is unset. Failing to present an explicit warning before these writes can cause users to unknowingly create long-lived sensitive material on disk, increasing the chance of credential theft from local compromise, backup leakage, or multi-user systems.

Missing User Warnings

High
Confidence
99% confidence
Finding
Accepting a raw private key via a --key command-line argument is dangerous because command-line parameters are often exposed through shell history, process listings, job logs, and telemetry. This can directly leak the user's long-term identity key, enabling impersonation, signature forgery, and permanent compromise of the associated decentralized identity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Private key material appears to be written to a local file (`kms.json`) without any visible encryption, permission hardening, or explicit disclosure in this code path. In an agent environment, local file storage of cryptographic secrets can be exfiltrated by other processes, backups, logs, or accidental repository inclusion, leading to identity takeover and unauthorized signing.

Missing User Warnings

High
Confidence
96% confidence
Finding
This code explicitly falls back to provider: "plain" and writes privateKeyHex directly to disk whenever no master key is configured. Because this skill manages decentralized identity and authentication material, storing raw private keys in kms.json can let anyone with filesystem access, backups, logs, or accidental file inclusion fully compromise agent identity and generate valid proofs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal