Back to skill

Security audit

Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This skill handles sensitive identity keys, but the behavior is coherent with its identity-linking purpose and is disclosed in the artifacts.

Before installing, decide whether you trust the Billions identity services and the npm dependencies. Set BILLIONS_NETWORK_MASTER_KMS_KEY before first use, restrict $HOME/.openclaw/billions permissions, and never import an Ethereum wallet key that controls funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function is named and documented as creating an 'in-memory' KMS, but it actually uses KeysFileStorage('kms.json'), which persists private keys to disk. This mismatch can cause developers and operators to handle the component with weaker safeguards than required, increasing the risk of accidental key exposure, backup leakage, or insecure filesystem permissions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The list() method returns raw private key material for every stored entry, unnecessarily expanding access beyond metadata discovery into full secret exfiltration. Any caller with access to this interface can dump all managed private keys at once, which is especially dangerous in an agent skill handling identity/authentication credentials.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
When no master key is configured, _encodeEntry() silently stores private keys in plaintext on disk. This creates a direct compromise path through filesystem access, backups, logs, container layers, or accidental file disclosure, which is severe for authentication and decentralized identity keys.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation examples use broad conversational triggers such as 'Link your agent identity to me,' which can overlap with ordinary chat and cause the skill to activate for sensitive identity-signing flows without sufficiently explicit intent. In this skill's context, activation is more dangerous because the resulting actions can create identities, sign challenges, and link a human to an agent DID, all of which are security-sensitive operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code persists key material through a file-backed storage layer without any visible notice, consent flow, or protection mechanism in this file. In an agent identity skill, local persistence of cryptographic secrets is especially sensitive because compromise of those files can let an attacker impersonate the agent or associated identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Credential, identity, profile, DID, and challenge data are written to local JSON-backed storage without any visible security controls in this code. Because this skill manages decentralized identity artifacts and authentication challenges, leakage or tampering of these files could expose sensitive metadata, facilitate replay or impersonation scenarios, or corrupt trust state.

Missing User Warnings

High
Confidence
99% confidence
Finding
These lines implement the plaintext write path for private keys with no warning, confirmation, or enforcement of secure configuration. In practice this means deployments can unknowingly persist highly sensitive key material unencrypted, making theft of agent identities or signing authority much easier.

Credential Access

High
Category
Privilege Escalation
Content
function newDataStorage(ethStateStorage) {
  return {
    credential: new CredentialStorage(
      new IdentitiesFileStorage("credentials.json"),
    ),
    identity: new IdentityStorage(
      new IdentitiesFileStorage("identities.json"),
Confidence
86% confidence
Finding
credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.