ClawHub
Back to skill

Security audit

verified-agent-identity-0.0.15

Security checks across malware telemetry and agentic risk

Overview

The skill’s identity features are mostly purpose-aligned, but it deserves review because it handles long-lived private keys with plaintext-by-default storage and unsafe command-line key import paths.

Install only if you intend this agent to manage a Billions decentralized identity. Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating or importing identities, avoid passing valuable wallet/private keys on the command line, and treat $HOME/.openclaw/billions as sensitive backup-worthy secret storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly requires Node and documents operations that use environment state and network-backed identity/attestation workflows, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent may invoke code with network and environment access without the user or platform having an accurate permission model.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The list() method returns full private key material for every stored alias, which unnecessarily broadens access to secrets and increases the blast radius of any caller that can invoke it. In an identity/authentication skill, exposing all private keys is especially dangerous because these keys can be used to impersonate agents or produce fraudulent proofs, not merely inspect metadata.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger guidance is broad enough to activate on routine identity or authentication requests, including shared JWT usage, without strong exclusions or consent boundaries. In practice this can cause an agent to enter sensitive identity-linking or signing flows too eagerly, increasing the chance of unintended credential operations or social-engineering-driven misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions direct the user to create an identity and potentially supply a private key before any prominent warning that sensitive material will be stored locally, and later note that keys may be plaintext if a master key is unset. That ordering is dangerous because it can lead users to generate or import long-lived credentials without understanding storage risks, local compromise exposure, or operational safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accepts a raw private key via CLI arguments and directly uses it to derive an Ethereum identity without any warning, secure input handling, or disclosure of the risks. CLI-supplied secrets are commonly exposed through shell history, process listings, logs, and automation traces, so this creates a realistic path for credential leakage and subsequent identity or wallet compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The KMS is backed by `KeysFileStorage("kms.json")`, which persists private key material to a local file. Storing agent signing keys unencrypted on disk materially increases the risk of credential theft, agent impersonation, and unauthorized signing if the host, workspace, or repository is compromised. In an identity/authentication skill, this is more dangerous than usual because these keys underpin proofs and identity assertions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Credential and identity records are written to `credentials.json`, `identities.json`, and `profiles.json` without any visible access controls, encryption, or user disclosure. These files can contain sensitive identity metadata and verifiable credential contents, creating privacy leakage and facilitating correlation or misuse if local storage is exposed. In a decentralized identity skill, persistent local storage of such data is especially sensitive.

Missing User Warnings

Low
Confidence
77% confidence
Finding
DID and challenge state are persisted to `defaultDid.json` and `challenges.json` on disk. While less sensitive than private keys, challenge data can still aid replay analysis, session correlation, or reveal authentication flow details if an attacker gains filesystem access. The identity-verification context raises sensitivity because these artifacts relate directly to auth workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
If no master key is available, _encodeEntry() stores private keys to disk in plaintext, creating immediate compromise risk from local file access, backups, logs, container layers, or accidental repository inclusion. In a decentralized identity skill, theft of these private keys directly enables account takeover, proof forgery, and persistent identity impersonation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends a user-supplied DID to a third-party resolver service over the network without any disclosure, consent, or local-only option. Because DIDs can be linkable to a user's identity or agent relationship in this skill's identity-verification context, this creates a privacy leak and metadata exposure risk even if transport uses HTTPS.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.