Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This identity skill is mostly purpose-aligned, but it can persist powerful private identity keys in plaintext by default and documents unsafe command-line secret handling.

Review before installing. Use this only if you intend to create a persistent Billions agent identity, set BILLIONS_NETWORK_MASTER_KMS_KEY before generating or importing keys, avoid using an existing wallet key or passing secrets on the command line, and expect Billions/Privado services to receive verification or DID-resolution requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The function is explicitly presented as creating an in-memory KMS, but it uses a file-backed keystore (`KeysFileStorage("kms.json")`) that persists private key material to disk. This mismatch can cause callers to make unsafe assumptions about key lifetime and secrecy, increasing the chance that sensitive keys are left behind on shared hosts, containers, or developer machines.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code explicitly falls back to storing private keys with provider "plain" when no master key is configured, which results in raw private key material being persisted to disk unencrypted. For an identity/authentication skill, compromise of these keys can enable full impersonation, fraudulent attestations, and account takeover of linked agent identities.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly instructs users to pass an existing Ethereum private key on the command line and later states that keys may be stored in plaintext when the master key is not set. Command-line arguments can be exposed via shell history, process listings, logs, or CI telemetry, so documenting this flow without a prominent warning encourages unsafe secret handling and can lead to private key compromise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The installation and setup flow instructs users to create decentralized identities and link them to humans before presenting a clear up-front warning that sensitive key material will be generated and stored locally, potentially unencrypted. For identity software, this omission increases the chance that users expose long-lived credentials without understanding the risks.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation shows passing a private key directly on the command line, which commonly exposes it via shell history, process listings, terminal logging, and CI telemetry. Because this is authentication key material, a single disclosure can permanently compromise the associated DID and any trust tied to it.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code POSTs the full authorization request payload to an external URL shortener, which can expose sensitive verification metadata, scope details, callback information, and possibly signed request material to a third party. In an identity-linking flow, this increases privacy and integrity risk because the shortener becomes a trusted intermediary that can log, correlate, tamper with, or selectively deny requests without any explicit user-facing consent in this script.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Sensitive cryptographic key material appears to be written to a local file (`kms.json`) without any visible encryption, permission hardening, or user-facing disclosure. In an agent identity/authentication skill, compromise of these keys could let an attacker impersonate the agent, generate proofs, or misuse linked identities.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The implementation writes private keys to disk in plaintext with no interactive warning, opt-in, or audit signal when a master key is absent. This creates a high risk of secret leakage through local compromise, backups, logs, container image mishandling, or accidental file exposure, and the risk is amplified because the skill manages identity keys rather than non-sensitive metadata.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The script sends the user-supplied DID to a third-party resolver service during signature verification, which creates an external disclosure of identity metadata without any explicit notice or consent in this file. While the token itself is not directly embedded in the fetch URL here, the DID is transmitted off-box and the verification flow depends on a remote service, which can leak usage patterns and introduce privacy and trust concerns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal