ClawHub

Birth System Manager

Security checks across malware telemetry and agentic risk

Overview

This local identity and migration skill is coherent in purpose, but it handles wallet secrets and broad local migration archives with weak disclosure and safeguards.

Review carefully before installing. Do not use this with a funded or important wallet, do not rely on the default pack password, avoid decrypting private keys in chats or logged terminals, and inspect migration archive contents before transferring or unpacking them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no environment requirements, yet its instructions explicitly rely on environment variables such as IS_CLONE and BIRTH_PRIVATE_KEY_PASSWORD. That mismatch reduces transparency for users and reviewers, making sensitive behavior easier to trigger without clear permission signaling and increasing the chance secrets are mishandled.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose understates much more sensitive behaviors: wallet generation, private-key storage, persistent state mutation, broad packaging of local data, and possible private-key disclosure. This is dangerous because users may invoke a seemingly benign identity/migration skill without understanding that it can collect, persist, package, or expose secrets and other local files.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The code documents that clone initialization will produce a new signature, but in multiple paths it silently reuses the existing signature if decryption or signing fails. This breaks the integrity guarantees implied by the signature, because the persisted metadata can claim a new clone identity without cryptographic proof bound to the new birth_id and timestamp.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The status message reports 'Updated' whenever any signature value is present, even if that value was simply copied from the original record. This can mislead operators into trusting clone identity data as newly signed when it may not have been re-signed at all.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script decrypts a wallet private key and prints it directly to stdout while labeling this path as 'safe'. Terminal output is often captured in shell history, CI/CD logs, terminal scrollback, remote session logging, or monitoring tools, so exposing the secret this way can lead to credential compromise and wallet theft. In this skill context, handling identity and wallet material makes the issue more dangerous because the secret is a blockchain private key with direct control over funds or agent identity.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The function generates fresh wallet identity material and returns the private key, which is then persisted to disk as part of the birth record. In an agent skill whose purpose is birth-ID and lineage tracking, storing reusable private key material materially increases the blast radius from simple metadata management to credential creation and long-term secret retention.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The script appends to SOUL.md in the workspace even though that behavior is not necessary to generate or verify birth IDs. Unadvertised workspace modification is risky because it expands the skill's write scope and normalizes side effects outside its core security-sensitive function.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
Editing arbitrary workspace documentation is not justified by the stated purpose of managing birth IDs and lineage records. Even though the current write is small, unnecessary file-editing capability creates avoidable attack surface and could be repurposed to alter user data or instructions in the workspace.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comment asserts the private key is needed for verification, but the actual verification only uses the message signature and wallet address. This misleading rationale can cause maintainers to preserve dangerous secret storage unnecessarily, resulting in exposure of a credential that can be used for impersonation or signing operations if the file is read.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The packer archives the workspace, skills, and memory directories in addition to birth-system state, which materially exceeds the stated migration scope and can capture sensitive prompts, agent memories, local code, and embedded secrets. In this context, a migration bundle is intended for transfer to another machine, so over-collection directly increases confidentiality risk and the chance of unintended data exfiltration.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Bundling runtime dependencies from the global OpenClaw installation expands the package beyond user state migration into code distribution, increasing supply-chain and integrity risk. It may copy unexpected libraries or modified code into the archive, creating a package whose behavior is broader and less auditable than the skill description suggests.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The script comments that sensitive data is excluded, but it still copies wallet-linked metadata such as public key, signature, and related identifiers into birth-info.json. While less severe than exporting the private key, this can still leak identifying or correlating information and misleads operators about what data is actually being shared.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list uses broad phrases plus 'or similar,' allowing accidental activation from loosely related user requests. Because this command creates persistent identity material and wallets, unintended invocation can lead to irreversible state changes and unnecessary secret generation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using generic triggers like 'pack' with open-ended matching can collide with ordinary conversation and unexpectedly run a packaging workflow. In context, packing may archive substantial local data and consume a password, so accidental activation can cause confidentiality and integrity risks.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The unpack command is tied to broad natural-language phrases and defaults to writing into a target directory, which can modify the filesystem unexpectedly. If triggered unintentionally, it may overwrite or mix files, create clone state, or import untrusted packaged content into a live workspace.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The general activation rule is vague enough to match many normal questions about identity, cloning, or system behavior. In a skill that can generate wallets, unpack archives, and mutate persistent files, overly permissive routing materially increases the chance of unintended high-risk actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The unpack instructions do not clearly warn that files will be written into a destination directory and may affect existing data. That omission is dangerous because users may consent without understanding overwrite, merge, or persistence consequences, especially when a default target path is suggested.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code stores wallet.privateKey in plaintext within birth-info.json and does so automatically, without warning, confirmation, encryption, or permission hardening. Any local compromise, backup leak, shared home directory, or accidental disclosure of that file would expose a signing key that could be reused to impersonate the generated identity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently packages workspace, skills, and memory content without an explicit privacy warning or informed consent step. Those directories can contain proprietary code, conversation history, credentials, and personal data, so bundling them for transfer creates a substantial privacy and data-loss risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads private key material from birth-info.json and exports it into an encrypted backup without strong operator safeguards or explicit secret-handling warnings. Because this is credential material, any mistake in password choice, archive handling, or downstream storage can compromise the associated identity or wallet.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The generated MIGRATION.md embeds the archive password in plaintext, which defeats much of the value of encrypting the wallet backup because the secret travels with the package. Anyone who gains access to the archive contents or accompanying documentation may be able to decrypt the exported wallet material.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script extracts a user-supplied tar.gz directly into a chosen target directory using tar without validating archive contents. A malicious archive can exploit path traversal or symlink handling to overwrite files outside the intended destination, making this more serious than a mere missing warning because the skill explicitly handles migration/unpacking of externally supplied packages.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script writes a shell script into the target directory and marks it executable without any confirmation or ownership/symlink safety checks. If the target directory is attacker-influenced or contains a preexisting symlink at .openclaw-setup.sh, this can clobber an unintended file and leave behind an executable artifact that users are instructed to source.

Session Persistence

Medium
Category
Rogue Agent
Content
- When user says "birth init", "generate birth id", "出生认证", "初始化出生系统" or similar:
  Run: node {baseDir}/generate-birth-id.js
  This will generate a unique Birth ID for new instances, create an Ethereum wallet, and generate a cryptographic signature.
  If IS_CLONE=true is set, it will automatically generate a clone Birth ID.
  Return the generated Birth ID, wallet address, and signature verification status.
Confidence
83% confidence
Finding
create an Ethereum wallet, and generate a cryptographic signature. If IS_CLONE=true is set, it will automatically generate a clone Birth ID. Return the generated Birth ID, wallet address, and sign

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal