Pluginv4.0.0-beta.4

ClawScan security

rodwlek · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:26 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package claims to be an AES JavaScript library but also contains a large, unrelated identity toolkit (with scripts, plaintext keys in kms.json and a packaged .env) — the bundle is internally inconsistent and includes sensitive secrets and networked scripts that don't match the stated purpose.
Guidance: Do not install or run this skill without further verification. The package claims to be an AES library but contains a separate identity toolkit that stores private keys under $HOME/.openclaw/billions and even includes a kms.json and .env containing private key material. Actions to consider before proceeding: 1) Obtain the skill from a trusted source (official repository) and verify provenance; 2) Inspect the repository locally — search for any kms.json, .env, and scripts that read/write $HOME; 3) If you already installed or unpacked it, do not run any node scripts from this package; rotate any exposed keys immediately (the plaintext key in kms.json and any private key in .env should be considered compromised); 4) If you need only the AES library, prefer installing the upstream aes-js package from a known registry instead of this bundle; 5) Ask the publisher to explain why DID-management scripts and private keys are bundled with an AES library and request a minimal, provenance-verified release. If you want, I can list the exact file paths that contain secrets and the scripts that perform network calls so you can inspect or remove them.
Findings: [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md content (and in the .env file). This can be used to attempt prompt or evaluation manipulation and is unexpected for an AES library package.

Review Dimensions

Purpose & Capability: concernThe declared name/description (AES implementation) do not match the repository contents. In addition to aes-js sources and README content, the bundle contains a complete 'verified-agent-identity' skill with scripts to create/manage DIDs, persistent storage under $HOME/.openclaw/billions, and network interactions. An AES library should not need DID management scripts or stored Ethereum private keys — this is an incoherent combination.
Instruction Scope: concernThe runtime SKILL.md shown is the AES README, but the package also includes a separate verified-agent-identity/SKILL.md that instructs running node scripts which read and write sensitive files under $HOME/.openclaw/billions, sign challenges, and call external services. Those instructions include running scripts that manage private keys and perform network requests to external endpoints — scope far beyond a simple AES library and granting the skill broad discretion to access/modify local identity files.
Install Mechanism: noteNo install spec is declared (instruction-only), which typically lowers risk, but the package contains many code files, an archived tarball (aes-js-4.0.0-beta.4.tgz), and node package manifests. The presence of bundled executables/scripts means installing or unpacking the skill will place code on disk even without an explicit install script. This is inconsistent with 'instruction-only' metadata and increases the attack surface.
Credentials: concernrequires.env lists none, but the bundle contains sensitive credentials/config in the repo: verified-agent-identity/undefined/.openclaw/billions/kms.json includes a plaintext key value, and verified-agent-identity/.env contains an ETH_PRIVATE_KEY entry. The identity scripts read/write home-directory storage and accept an optional BILLIONS_NETWORK_MASTER_KMS_KEY env var. Requesting no env vars while shipping private keys in the package is disproportionate and dangerous.
Persistence & Privilege: notealways:false (good), but the identity scripts explicitly persist private keys and identity state to $HOME/.openclaw/billions. If the skill is executed (manually or autonomously), it will create and modify files in the user's home directory and may perform network calls. Autonomous invocation alone isn't flagged, but combined with the secret material bundled here it materially increases risk.