ClawHub

Web3dropper Crypto Price Skill

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches an identity-linking purpose, but it needs review because it stores unencrypted identity keys and includes mismatched crypto-price artifacts.

Install only if you are comfortable with an agent creating and storing long-lived identity keys on this machine. Use it only on a trusted, access-controlled host, avoid shared workspaces or backups that may capture $HOME/.openclaw/billions, and treat any generated DID, token, verification URL, or stored credential as sensitive. The publisher should remove the unrelated crypto-price package and add stronger key-storage protections before broad use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly requires environment access and external messaging/network capability via Node scripts and openclaw. This mismatch weakens policy enforcement and informed consent, because operators cannot accurately assess what the skill can access before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
A documented identity-management skill that also makes an unrelated Binance BTC/USDT request is a strong indicator of hidden or undeclared behavior. Unrelated network activity can be used for covert telemetry, exfiltration, beaconing, or supply-chain abuse, especially in a skill that also handles keys and credentials.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README describes a Binance cryptocurrency price skill, while the manifest claims the skill provides Billions/Iden3 authentication and identity management. This kind of capability mismatch is a strong indicator of deceptive packaging, repurposed code, or supply-chain tampering because reviewers and users may install the skill expecting identity functions while receiving unrelated behavior. In an agent ecosystem, misleading metadata can hide unauthorized network access, bypass trust decisions, and undermine provenance checks.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code's behavior is materially inconsistent with the declared purpose of an identity/authentication skill: it retrieves cryptocurrency market data from Binance and prints it, with no identity, proof, signing, or verification logic present. This kind of capability mismatch is dangerous because it can conceal unauthorized behavior under a trusted security-oriented manifest, increasing the chance that reviewers or users grant the skill privileges it does not need.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
An external request to a cryptocurrency pricing endpoint is unjustified in an identity/authentication skill and indicates unnecessary outbound network access. Even though the current request only fetches public market data, the mismatch in context makes the behavior suspicious and establishes a pathway for hidden data exfiltration or covert functionality in a security-sensitive skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The package metadata claims this skill is a crypto price tool, which directly conflicts with the declared skill purpose of verified-agent-identity. In an agent skill ecosystem, this kind of identity mismatch is a strong indicator of deceptive packaging, hidden functionality, or supply-chain substitution, because operators may grant identity-related trust to code that is actually intended for a different purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest claims to be a crypto/Binance BTC price skill, while the provided skill metadata says the package should be a verified-agent-identity capability for Billions/Iden3 authentication. This mismatch is a strong indicator of skill substitution or deceptive packaging, which can cause an operator to install or trust functionality different from what was reviewed, enabling unauthorized network access, data exfiltration, or execution of unintended behaviors under a misleading identity-related label.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The utility module contains a function that invokes an external CLI, `openclaw message send`, which is not clearly aligned with the stated identity/authentication purpose of the skill. Even though `execFileSync` avoids shell interpolation and there is some input validation, this still creates a side-effecting outbound messaging capability that could be abused by other parts of the skill to exfiltrate data, contact unintended recipients, or perform actions outside the expected trust boundary for an identity utility library.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The utility exposes outbound messaging by invoking an external CLI (`openclaw message send`) from a shared helper in a skill whose declared purpose is identity/authentication. Even though `execFileSync` avoids shell expansion and the inputs are partially validated, this still creates an unexpected exfiltration/communication primitive that other parts of the skill can call without any user disclosure, consent, or policy checks.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation examples are phrased broadly enough that ordinary conversation like 'link your agent identity to me' could trigger sensitive signing/linking workflows. In a skill that can send signed messages and establish identity links, accidental activation increases the risk of unauthorized authentication actions or social-engineering abuse.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states that sensitive identity material is stored under $HOME/.openclaw/billions and explicitly notes unencrypted private keys, but does not present a strong warning, safeguards, or compensating controls. Storing long-lived private keys unencrypted creates immediate account- and identity-compromise risk if the host, logs, backups, or local users are exposed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists cryptographic key material via `KeysFileStorage("kms.json")`, which creates a local file-backed keystore for private keys used by the identity wallet. Storing agent identity keys in plaintext or weakly protected local JSON materially increases the risk of key theft, impersonation, and long-term compromise if the host filesystem, workspace, or logs are accessible to other users or processes.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The runtime stores credentials, identities, profiles, DIDs, and challenges in local files such as `credentials.json`, `identities.json`, `profiles.json`, `defaultDid.json`, and `challenges.json`. Even if some of this data is not strictly secret, identity and credential artifacts can contain sensitive metadata, enable correlation, or expose authentication state when stored insecurely on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code persists private cryptographic keys directly to a local JSON file in plaintext and later returns them via list/get operations without any protection, encryption, or access-control mechanism. In an agent environment, filesystem compromise, backup leakage, logs, container escape, or accidental file inclusion can expose long-term private keys and enable identity theft, message signing, or unauthorized authentication.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The usage instructions encourage immediate identity creation and linking without a prominent warning that the process creates and stores highly sensitive identity material, including unencrypted private keys in a local directory. In an identity-management skill, omission of this warning increases the chance that users or agents will create long-lived credentials on shared or insufficiently protected systems, leading to credential theft or impersonation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents sending signed challenges, JWS tokens, and verification-link data over direct messages without clearly warning that these artifacts are authentication-related and may be sensitive or replayable depending on downstream handling. Because the skill is specifically for identity proof and account linking, normalizing transmission without privacy guidance can cause inadvertent disclosure to the wrong recipient, logging systems, or intermediaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code initializes a file-backed key store with `new KeysFileStorage("kms.json")`, which means cryptographic key material is persisted to a local file. For an agent identity/authentication skill, local plaintext or weakly protected key storage materially increases the risk of key theft, impersonation, and credential misuse if the host, workspace, or logs/artifacts are accessible.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The runtime persists credentials, identities, profiles, DIDs, and challenges to local files without any visible safeguards or disclosure in this file. In an identity-management context, these artifacts can contain sensitive metadata or authentication state that may enable correlation, replay support, privacy loss, or facilitate account recovery/impersonation when combined with other compromised data.

Missing User Warnings

High
Confidence
97% confidence
Finding
This code stores private keys directly on disk in a JSON file and returns them in plaintext, with no encryption, access control, or secure storage mechanism. In an agent identity/authentication skill, plaintext key storage is especially dangerous because compromise of the host, workspace, backups, or logs could expose signing keys and enable impersonation or unauthorized authentication.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This code performs subprocess-based outbound communication without any visible warning, prompt, or transparency to the user. In an agent skill context, undisclosed external messaging is risky because it can be used to transmit sensitive data or perform actions outside the expected identity-management scope, making misuse harder for users and auditors to detect.

Credential Access

High
Category
Privilege Escalation
Content
- `kms.json` - **CRITICAL**: Contains unencrypted private keys
- `defaultDid.json` - DID identifiers and public keys
- `challenges.json` - Authentication challenges history
- `credentials.json` - Verifiable credentials
- `identities.json` - Identity metadata
- `profiles.json` - Profile data
Confidence
88% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal