Back to skill

Security audit

Bitbrawlers Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the identity-linking work it advertises, but it handles private identity keys and authentication material in ways users should review carefully before installing.

Install only if you trust the publisher and the Billions identity infrastructure. Use a fresh agent identity key rather than a funded wallet key, set BILLIONS_NETWORK_MASTER_KMS_KEY before creating identities, restrict access to $HOME/.openclaw/billions, and avoid passing private keys or long-lived tokens directly in shell commands or chat transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest metadata identifies the skill as 'verified-agent-identity' for decentralized identity and attestation workflows, but the embedded agent.json describes an unrelated agent named 'BitBrawlers AI' for Web3 automation and analysis. This kind of metadata mismatch can mislead users, reviewers, or automated tooling about what is actually being installed or executed, creating a supply-chain trust issue and increasing the chance of deceptive packaging.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The list() method returns raw private key material for every stored alias, turning a metadata/enumeration API into a full secret-disclosure interface. In an identity and proof-generation context, exposing all private keys dramatically increases blast radius because any caller with access to this method can exfiltrate credentials and impersonate agents or identities.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
When no master key is configured, _encodeEntry() silently stores private keys on disk in plaintext. This creates immediate compromise risk from local file access, backups, logs, container snapshots, or accidental repository inclusion, which is especially dangerous for software managing decentralized identity credentials and signing keys.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents that private keys are stored in `kms.json` as raw hex when `BILLIONS_NETWORK_MASTER_KMS_KEY` is not set, which means sensitive signing material may be persisted unencrypted by default. In an agent skill context, long-lived private keys outside the workspace can still be exposed through host compromise, backups, logs, or misconfigured file permissions, leading to identity takeover and fraudulent attestations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'When to use' section is broad enough that common identity or authentication-related prompts could invoke this skill without strong scoping, exclusions, or confirmation requirements. In practice, that increases the chance the agent will perform sensitive identity actions such as signing challenges, linking a human, or handling shared JWT-based authentication in response to ambiguous requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to create identities and link them to humans, which results in generation and storage of sensitive key material and identity metadata, but it does not present a prominent warning or obtain explicit informed consent before those steps. Because the skill later states that private keys may be stored in plaintext if BILLIONS_NETWORK_MASTER_KMS_KEY is unset, use without upfront warning creates real risk of secret exposure and unintended persistent identity creation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends the full authorization request payload to an external URL shortener service, which can expose identity-verification metadata, verifier details, scope contents, and callback information to a third party. In an identity-linking flow, this is especially sensitive because the request is part of authentication/proof generation, and there is no visible consent or minimization at the execution point.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code persists sensitive wallet material and identity-related data to predictable local JSON files such as kms.json, credentials.json, identities.json, profiles.json, and defaultDid.json without any visible encryption, access control, or warning. In an agent identity skill, these files can contain private keys, credentials, DIDs, and challenge state, so local compromise, accidental inclusion in backups/repos, or multi-user host access could expose authentication material and identity data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code explicitly writes private keys unencrypted to kms.json without any warning, confirmation, or operational guardrail if the environment lacks a master key. Because these keys likely back authentication proofs and agent identity, plaintext persistence can enable theft, forgery, and long-term impersonation if the filesystem is exposed.

Credential Access

High
Category
Privilege Escalation
Content
function newDataStorage(ethStateStorage) {
  return {
    credential: new CredentialStorage(
      new IdentitiesFileStorage("credentials.json"),
    ),
    identity: new IdentityStorage(
      new IdentitiesFileStorage("identities.json"),
Confidence
94% confidence
Finding
credentials.json

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.secret_argv_exposure

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:132