ClawHub

Vai Layman88

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the identity-linking job it advertises, but it handles long-lived private identity keys in ways users should review carefully before installing.

Install only if you are comfortable letting this skill create, store, and use agent identity private keys. Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating identities, avoid passing valuable or reusable wallet keys with --key, treat $HOME/.openclaw/billions as sensitive, and confirm any linking request before allowing the agent to sign or generate a verification URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The list() method returns every stored private key in raw form, enabling bulk secret exfiltration to any caller with access to this API. In an identity/attestation system, private keys are the root of trust, so exposing them through enumeration is substantially more dangerous than ordinary metadata disclosure because it allows impersonation and unauthorized proof generation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code provides bulk private-key retrieval capability via list(), which is unnecessary for most identity verification workflows and greatly expands the blast radius of any misuse. If an attacker or overprivileged component can invoke this method, they can harvest all agent identities at once and forge attestations or authenticate as multiple principals.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The list() method returns every stored private key in raw form, not just aliases or metadata. That unnecessarily broadens access to secret material and increases the blast radius of any caller that only needed enumeration, especially in an agent identity skill where private keys are the core authentication secret.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README suggests triggering identity linking with a natural-language phrase like "Please link your agent identity to me," which is broad enough to overlap with ordinary conversation or prompt-injection content. In agent systems that map free-form user text to privileged skill actions, this can cause unintended initiation of a sensitive identity-linking flow without a clearly scoped command or confirmation boundary.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The example invocation encourages identity-linking actions in response to a very broad request ('Link your agent identity to me'), which could overlap with common conversational prompts and lead an agent to perform sensitive identity operations without a sufficiently explicit consent or verification step. In an identity skill, that context makes the risk more significant because the action can mint or bind durable identity artifacts and ownership attestations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The setup instructions direct users to create an identity and link it immediately, but do not warn up front that this process generates and stores long-lived sensitive key material and identity data under `$HOME/.openclaw/billions`. Because the skill later states that `kms.json` may hold private keys in plaintext when no master key is configured, the missing warning materially increases the chance of unsafe use and accidental exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
When no master key is configured, _encodeEntry() silently stores private keys on disk in plaintext. Because these are identity keys for agents, filesystem compromise, backups, logs, or accidental file sharing would directly expose credentials that can be used to impersonate agents and produce fraudulent authentication proofs.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation instructs users to create and manage decentralized identities and later discloses that sensitive key material may be stored in plaintext if BILLIONS_NETWORK_MASTER_KMS_KEY is not set. That creates a realistic risk of private key compromise from local filesystem access, backups, logs, or other co-resident processes, especially because the setup flow does not prominently warn users before identity creation.

Missing User Warnings

High
Confidence
99% confidence
Finding
_encodeEntry() writes private keys to disk in plaintext whenever no master key is available, silently falling back to provider: "plain". In this skill, those keys represent agent identity and authentication authority, so plaintext storage enables local compromise, backup leakage, or accidental exfiltration to fully impersonate the agent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal