ClawHub

Verified Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This identity skill matches its stated purpose, but it creates and uses persistent private keys with weak default protection that users should review before installing.

Install only if you trust the Billions identity workflow and are comfortable with persistent local identity keys. Set BILLIONS_NETWORK_MASTER_KMS_KEY before creating any identity, avoid passing real private keys with --key, review or protect $HOME/.openclaw/billions, and expect DID/authentication metadata to be sent to Billions and Privado services during linking and verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This storage layer explicitly falls back to provider:"plain" and writes raw privateKeyHex values to disk whenever no master key is configured. Because this skill manages decentralized identity and authentication keys, plaintext-at-rest exposure can allow local attackers, backup readers, container escape victims, or accidental file disclosure to fully compromise agent identity and forge authentication proofs.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The code comments claim encrypted entries that cannot be decoded are preserved, but importKey removes opaque entries with the same alias before writing. In a session without the master key, importing a key for an existing alias can therefore delete an unreadable encrypted private key, causing silent key loss or unintended key replacement that may break identity continuity and enable operational compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to create and persist decentralized identity material, while later admitting that kms.json may store private keys in plaintext if BILLIONS_NETWORK_MASTER_KMS_KEY is unset. This is dangerous because identity keys are long-lived authentication secrets; plaintext local storage enables theft, impersonation, and irreversible compromise of the agent identity and linked attestations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The bootstrap code persists key material and identity-related data to predictable local JSON files via file-backed storage classes, but there is no indication of encryption, access controls, or explicit operator awareness. In an agent setting, local files are often accessible to other processes, container users, backups, or logs, so compromise of these files could lead to wallet/key theft and identity impersonation.

Missing User Warnings

Low
Confidence
91% confidence
Finding
This code sends the user-supplied DID to a third-party resolver service, which creates a privacy leak because identifier lookups can be logged, correlated, and profiled by that remote service. In an identity-verification skill, that is especially relevant because DIDs may be tied to human identities and authentication activity, so silent transmission weakens user privacy even if signature verification is otherwise correct.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal