ClawHub

Volcengine Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This identity skill is mostly coherent, but it gives agents a documented path to receive raw credential values and persist environment secrets, so users should review it carefully before installing.

Install only if you trust the underlying agent-identity plugin and need agent-managed credentials. Prefer environment binding over returnValue:true, avoid asking the agent to reveal raw credentials, review provider scopes and env var names, and keep high-risk tool approvals under direct human control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation text uses broad triggers such as checking identity, getting credentials, configuring plugins, and approving risky tool calls, which can cause the skill to activate in contexts beyond strict identity management. Over-broad activation increases the chance the agent routes users into privileged login/credential workflows unnecessarily, exposing sensitive account state or initiating security-sensitive operations without sufficiently specific intent.

Ssd 3

High
Confidence
99% confidence
Finding
The documented `returnValue: true` behavior explicitly allows raw credential material to be returned in tool results for same-turn automation. Sending secrets into the model/output path materially increases the risk of credential disclosure through logs, transcript retention, downstream tool use, prompt injection, or accidental echoing back to the user.

Ssd 3

Medium
Confidence
94% confidence
Finding
The binding flow states that if a credential does not exist, the plugin may import it from `process.env[envVar]` into credential storage. That creates a path for environment-resident secrets to be copied into chat-accessible or agent-managed storage, broadening secret exposure and potentially converting runtime-only secrets into persistent credentials under user-driven workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal