ClawHub

Leanjutsu

Security checks across malware telemetry and agentic risk

Overview

This skill matches its identity-management purpose, but it warrants Review because it creates durable agent signing keys that may be stored locally in plaintext unless encryption is configured.

Install only if you intend to let this skill manage an agent DID and signing keys. Configure BILLIONS_NETWORK_MASTER_KMS_KEY before creating or importing identities, avoid passing valuable existing private keys on the command line, protect $HOME/.openclaw/billions from backups or other users, and expect DID/linking activity to contact Billions and Privado resolver services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The list() method returns every stored private key in raw plaintext, turning a metadata/listing API into a bulk secret disclosure primitive. In an identity/attestation skill, exposing all private signing keys dramatically increases blast radius: any caller with access to this method can exfiltrate keys and impersonate agents or generate fraudulent proofs.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code provides a bulk plaintext export path for all private keys via list(), which is not necessary for ordinary key storage or identity verification workflows. If invoked by an untrusted component, plugin, or compromised caller, it enables immediate full compromise of all managed identities because every private key can be harvested in one call.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions tell users to create a new identity and optionally supply a raw private key, while later noting that kms.json may store private keys in plaintext if no master key is set. Without an upfront warning, this encourages creation/import of sensitive key material that may be persisted to disk insecurely, risking identity theft and long-term compromise of the DID.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The linking flow instructs agents to create verification requests and link a human to an agent DID through external registries, but it does not clearly warn that identity attributes and relationship metadata will be transmitted to third-party network services. In an identity skill, this omission is especially sensitive because users may unknowingly publish or expose association data that is difficult to revoke.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists KMS-backed key material to a local file via `KeysFileStorage("kms.json")`, which can expose private keys if the filesystem is shared, backed up insecurely, committed to source control, or readable by other local users/processes. In an identity/authentication skill, storing cryptographic keys in plaintext or insufficiently protected local files materially increases the risk of account/identity takeover.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The runtime stores credentials, identities, profiles, DIDs, and challenge data in local JSON files without any visible safeguards in this code. For an agent identity system, these artifacts can contain sensitive identity metadata, authentication state, and replay-relevant challenge material, so local persistence broadens the attack surface through filesystem disclosure, theft, or accidental exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When no master key is configured, _encodeEntry() silently stores private keys on disk with provider: "plain", leaving long-term signing material recoverable from the filesystem or backups. For an SSI/agent identity skill, plaintext at-rest storage is especially dangerous because theft of these keys enables durable impersonation and forged attestations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends the user-supplied DID to a third-party resolver service (`resolver.privado.id`) during signature verification without any disclosure or opt-in in this file. Because DIDs can identify users or agents and may be linkable to authentication activity, this creates a privacy leak and metadata exposure to an external party whenever verification runs.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal