ClawHub
Back to skill

Security audit

Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for agent identity, but it needs review because it can create and sign with persistent identity keys that may be stored unencrypted and triggered by broad linking instructions.

Install only if you intentionally want this agent to create and use a Billions decentralized identity. Configure BILLIONS_NETWORK_MASTER_KMS_KEY before generating or importing keys, treat $HOME/.openclaw/billions as sensitive, avoid passing real private keys on the command line, and require explicit confirmation before any signing or human-agent linking action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The function is documented and named as creating an in-memory KMS, but it actually uses a file-backed keystore (`KeysFileStorage("kms.json")`) that persists private keys to disk. This mismatch can cause developers and operators to apply weaker security controls under the false assumption that secrets are ephemeral, increasing the risk of key disclosure through filesystem access, backups, or artifact leakage.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The list() method returns each alias together with the raw private key material, which unnecessarily expands access from key metadata enumeration to full secret exfiltration. In an agent identity or authentication context, any caller that can invoke list() can obtain all stored signing keys and impersonate agents or produce fraudulent proofs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly documents that when `BILLIONS_NETWORK_MASTER_KMS_KEY` is not set, private keys in `kms.json` are stored as raw hex strings. For a skill centered on identity and authentication, this creates a realistic secret-exposure risk because operators may follow setup instructions without understanding that agent signing keys are persisted unencrypted outside the workspace. The context makes this more dangerous, not less, because compromise of these keys enables identity takeover and fraudulent proof generation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The 'When to use this Skill' section is broad enough to match common identity and authentication requests, which increases the chance of the skill being auto-invoked in situations the user did not specifically intend. In this skill, unintended invocation is more dangerous because the actions include creating identities, signing challenges, and linking a human identity to an agent DID.

Vague Triggers

Low
Confidence
81% confidence
Finding
The example trigger phrase 'Link your agent identity to me' is sufficiently generic that it could overlap with everyday conversational requests and cause the skill to run sensitive identity-linking logic. Because the skill can sign challenges and generate verification artifacts, a vague trigger raises the risk of social-engineered or accidental activation.

Missing User Warnings

High
Confidence
97% confidence
Finding
When no master key is present, _encodeEntry() silently stores private keys on disk in plaintext under provider: "plain". Because this skill manages decentralized identity and authentication keys, plaintext storage materially increases the risk that local file disclosure, backup leakage, logs, container image capture, or compromised host access leads directly to account/identity takeover.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The suggested phrase "Please link your agent identity to me" is broad enough that an agent could plausibly receive it in normal conversation and interpret it as a command to begin a sensitive identity-linking workflow. Because this skill deals with DID creation and human-agent linking, ambiguous natural-language triggers increase the risk of unintended initiation, phishing-style social engineering, or accidental disclosure of verification links.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to create a decentralized identity and potentially supply or generate a private key, but it does not present a clear safety warning before these steps about the sensitivity of the resulting key material or where it will be stored. In an agent setting, this increases the chance that operators trigger key generation or import without informed consent, leading to accidental exposure or persistence of sensitive identity secrets on disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication and linking sections describe signing challenges and linking humans to agent DIDs via the Billions ERC-8004 and Attestation Registries, but they do not clearly warn that identity-related data and attestations will be transmitted to external network services or registries. This omission can cause users or autonomous agents to disclose identifying metadata to third parties without understanding the privacy and permanence implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends the full authorization request payload to an external URL shortener service, which can expose sensitive identity-verification metadata such as verifier information, requested scopes, callback URI, and challenge-related data to a third party. In an identity-linking skill, this is especially risky because the request is part of an authentication and proof flow; unauthorized disclosure can enable tracking, privacy loss, and potentially manipulation or replay targeting if the shortener or its logs are compromised.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script interpolates a user-supplied DID into a request to an external resolver service, which discloses identifier data and metadata to a third party during verification. In an identity-verification context this can expose sensitive correlation information, and there is no visible consent, minimization, allowlisting, or local-resolution fallback in this file.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.