Web3Dropper Verified Agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised identity-linking work, but it stores agent private keys unencrypted and can send signed identity material to caller-supplied recipients without strong confirmation safeguards.

Install only if you trust the publisher and host environment. Do not import valuable wallet keys; use a dedicated agent key, protect $HOME/.openclaw/billions from other users, backups, and logs, and only sign or link when you recognize the recipient and challenge. Treat this as a review-needed identity tool, not malware.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill explicitly relies on environment access (`$HOME`) and external messaging/networked identity operations, but it does not declare corresponding permissions. That mismatch can cause the agent platform or reviewer to underestimate the skill's ability to read sensitive local state and communicate identity artifacts externally. In an identity-management skill handling private keys and credentials, undeclared capabilities materially increase risk because the skill operates on highly sensitive data.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This utility file contains functionality to send outbound direct messages by invoking an external CLI, which is outside the declared identity/authentication scope of the skill. Even though execFileSync is used with argument separation and some input validation, the hidden messaging capability creates an unexpected side effect channel that could be abused for spam, phishing, or covert exfiltration from a context where users would only expect identity operations.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code invokes an external `openclaw` messaging CLI from a shared utility module, which broadens the skill's effective capabilities beyond identity management. This is dangerous because a shared helper can be called from many paths and may enable undisclosed outbound communication, increasing the risk of misuse, data leakage, or user deception even if classic shell injection is partially mitigated.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation acknowledges that `kms.json` contains unencrypted private keys but does not require an explicit warning, consent, or protective handling before use. This is dangerous because users or agents may invoke identity operations without understanding that long-lived secret key material is stored in plaintext under a predictable home-directory path. In an agent environment, such storage significantly increases the blast radius of any local compromise or unintended file access.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This code sends a sensitive pairing URL directly to an arbitrary recipient identifier supplied via `--to`, but this file shows no explicit user confirmation, recipient validation, or disclosure that the link can bind a human identity to an agent. If an operator mistypes the recipient or if untrusted input controls `args.to`, the pairing request could be delivered to the wrong party and enable unintended identity linking or social-engineering-assisted account association.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The KMS is backed by KeysFileStorage("kms.json"), which means private key material is persisted to a local file. In an agent skill handling identity and signing, plaintext or weakly protected local key storage materially increases the risk of key theft, impersonation, and unauthorized signing if the host, workspace, logs, backups, or shared volume are accessible.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Credential, identity, DID, and challenge artifacts are persisted to local files, which can expose sensitive identity metadata, authentication state, and challenge material to other local users, compromised processes, or insecure backups. In an authentication/identity-management skill, this data is security-relevant and may enable correlation, replay support, or unauthorized access to identity context if improperly protected.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This code persists private cryptographic key material directly to a JSON file in plaintext and later returns it via list(), creating multiple opportunities for disclosure through filesystem access, backups, logs, or accidental exposure. In an identity/authentication skill, compromise of these keys can enable impersonation, unauthorized signing, and loss of trust in all derived proofs or identities, so the context makes the issue more dangerous rather than less.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The subprocess performs a real outbound send operation without any user-facing warning, confirmation, or dry-run behavior. In an agent skill, silent messaging is especially risky because it can trigger unauthorized communications to arbitrary targets, enabling phishing, spam, social engineering, or covert transmission of sensitive content while appearing to be a benign identity helper.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This script signs attacker-controlled challenge data and immediately transmits the resulting token to an arbitrary recipient via direct message without any confirmation, preview, or warning to the user. In an identity/authentication skill, that behavior is security-sensitive because a malicious or spoofed request could trick an agent into producing and sending an authentication response or proof to an untrusted party, enabling impersonation or unauthorized session establishment.

Credential Access

High

Category: Privilege Escalation
Content: - `kms.json` - **CRITICAL**: Contains unencrypted private keys - `defaultDid.json` - DID identifiers and public keys - `challenges.json` - Authentication challenges history - `credentials.json` - Verifiable credentials - `identities.json` - Identity metadata - `profiles.json` - Profile data
Confidence: 92% confidence
Finding: credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal