Skillv1.0.0

ClawScan security

Web3dropper Crypto Price Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 4:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mixes two different purposes (a small Binance price script and a large Billions/iden3 identity toolkit), stores agent private keys unencrypted under $HOME/.openclaw/billions, and will send signed tokens/URLs to external recipients — the combination is coherent for an identity skill but the name/metadata mismatch and sensitive local key handling warrant caution.
Guidance: Be cautious before installing. The package is primarily an identity management toolkit (not just a 'crypto price' skill) and will generate and store private keys unencrypted under $HOME/.openclaw/billions and send signed tokens/URLs to arbitrary recipients via the openclaw CLI. If you only want a Binance price fetcher, do not install this package. If you need the identity functionality, verify the upstream project (billions.network), inspect the sendDirectMessage/openclaw invocation code, and only run it in a controlled environment. Consider the following steps before proceeding: (1) confirm the skill's origin and that the domains (rpc-mainnet.billions.network, attestation-relay.billions.network, wallet.billions.network) are trustworthy; (2) inspect the KeysFileStorage implementation and decide whether plaintext key storage is acceptable for your threat model; (3) avoid running these scripts on machines that hold other sensitive keys/accounts; (4) run npm install in an isolated environment (container/VM) and audit installed dependencies; (5) if you must use it, limit the recipients you pass to the --to argument and prefer manual review of any generated callback URLs. If you want help locating the specific lines that write/read kms.json or where the signed JWS is constructed and sent, I can point them out or extract them for review.

Review Dimensions

Purpose & Capability: concernRegistry name/summary ('Web3dropper Crypto Price Skill') suggests a simple Binance price fetcher, but the repository and SKILL.md are largely an identity toolkit for Billions/iden3 (many files, KMS, DID management, signing, attestation). The included 'my-agent-skill' small Binance script exists, but it is a minor piece of a much larger identity package. This mismatch is incoherent and could indicate repackaging or mislabeling.
Instruction Scope: concernRuntime instructions tell the agent to run npm install and multiple scripts that create/import private keys, sign challenges, build authorization requests and call openclaw to send messages containing signed JWS/callback URLs. Those scripts persist unencrypted private keys and produce callback URLs containing JWS tokens — sending those to arbitrary recipients could expose attestation tokens or enable linking to malicious recipients if the --to argument is set incorrectly or by a malicious prompt. The SKILL.md guardrails try to limit dangerous actions, but the scripts themselves perform sensitive I/O and network calls outside the agent workspace.
Install Mechanism: noteNo formal install spec is provided in the registry (instruction-only), but SKILL.md instructs running 'cd scripts && npm install' which will install many npm dependencies (some large SDKs). Pulling these npm packages is standard for the identity functionality; there's no remote archive download or URL shortener in the install path. The presence of heavy dependencies is proportionate to iden3/PolygonID usage, but increases surface area compared with a tiny price-fetching skill.
Credentials: concernThe skill requests no environment variables, but writes and reads sensitive cryptographic material to $HOME/.openclaw/billions (kms.json with privateKeyHex stored in plaintext). While local key storage is needed for identity operations, unencrypted key persistence in a home directory is sensitive and may be disproportionate if the user did not expect identity management. The scripts also contact RPC and relay endpoints (rpc-mainnet.billions.network and attestation-relay.billions.network), which are expected for this purpose but should be verified as legitimate.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It creates persistent files under $HOME/.openclaw/billions (kms.json, identities.json, challenges.json, defaultDid.json). Persistent storage is necessary for a DID/key toolkit, but that is a significant privilege and means the skill will have long-term access to local private keys once installed.