AliasKit Identity

The skill is designed to ingest, store, and reveal full payment card numbers, CVCs, and billing details. This capability poses a direct financial risk if the agent is compromised or misused.

ak.cards.create(...), ak.cards.reveal(...)

The agent has the capability to send emails and SMS messages from its provisioned identity, which could be abused for phishing, spam, or social engineering attacks.

await ak.emails.send(...), await ak.sms.send(...)

The skill allows the agent to obtain signed URLs for email attachments, enabling the download and potential processing of arbitrary files, which could lead to malware execution or data exfiltration.

await ak.emails.getAttachmentUrl(emailId, 0);

The skill explicitly instructs the agent to run external shell scripts (`check-events.sh`, `setup.sh`), which represents a command execution capability that could be exploited if the scripts are malicious or modified.

scripts/check-events.sh, scripts/setup.sh

An API key is loaded from `identity.json` and set as an environment variable, making it accessible to the agent. If `identity.json` is compromised, the API key is exposed.

if (id.apiKey) process.env.ALIASKIT_API_KEY = id.apiKey;

The skill provides a function to delete the agent's digital identity, which could be misused for denial of service, to erase traces, or to disrupt operations.

await ak.identities.delete(id.identityId);

The skill instructs the agent to autonomously sign up for third-party services using a fabricated identity (generated name, DOB, email, phone) without explicit per-action user approval. This enables mass account creation, identity fraud, bypassing KYC controls, and terms-of-service violations at scale — all without human confirmation for each action.

"Signup flows: Sign up using your email, then retrieve the verification code" / "to sign up for a service" / "to prove identity" in the description, combined with automated email/SMS verification code retrieval

The skill enables the agent to autonomously reveal full payment card details (card number, CVC, expiry) and complete online purchases without per-transaction human approval. The 'reveal card' pattern exposes real financial credentials to the agent process and any code it executes, enabling unauthorized purchases and card detail exfiltration.

"const card = await ak.cards.reveal(cards.data[0].id, { amountCents: 1999 }); console.log('Card:', card.number); console.log('CVC:', card.cvc);"

The skill reads API keys and a card decryption key (cardKey) from a local identity.json file and injects the API key into the process environment. Any malicious skill or prompt injection that triggers this skill gains access to these credentials. The cardKey, once loaded, allows decryption of stored payment card data.

"if (id.apiKey) process.env.ALIASKIT_API_KEY = id.apiKey;" and "const ak = new AliasKit({ cardKey: id.cardKey });"

The skill instructs the agent to execute shell scripts (scripts/check-events.sh and scripts/setup.sh) from the filesystem without showing the user what these scripts do. These scripts are opaque and could contain any arbitrary commands including data exfiltration, persistence mechanisms, or malware.

"check for new messages by running `scripts/check-events.sh`" and "run `scripts/setup.sh` (relative to this file's directory)"

The skill grants the agent the ability to send emails and SMS messages autonomously from a real phone number and email address, enabling spam, phishing, harassment, or social engineering attacks without per-message user confirmation.

"await ak.emails.send(...)" / "await ak.sms.send(...)" / "to send an email or SMS" in skill description

The skill establishes a persistent digital identity (stored in identity.json) that persists across agent sessions. This creates durable infrastructure for ongoing fraud, spam, or account abuse that survives agent restarts and is difficult to revoke once established.

"Persistent digital identity for this agent" / "The API key is stored in identity.json so it persists across sessions" / "Never create a second identity. Always use the one in your identity file."

The skill establishes persistent WebSocket connections to an external service that receive all inbound communications (emails, SMS, card authorizations). This creates a persistent outbound channel that could be used to exfiltrate sensitive data received by the agent in real time.

"ak.realtime.subscribe(id.identityId, (event) => { console.log('Event:', event.type, event.data); })" and "Listen for all events (emails, SMS, card authorizations, etc.)"

The skill collects real payment card numbers, CVCs, billing addresses, and full card details from the user during the 'add a card' flow and stores an encryption key locally. The assurance that 'AliasKit's servers only ever see an encrypted blob' cannot be verified by the user or the agent.

"Ask for these details one by one: Card number (the 16-digit number on the card), CVC..." / "Explain to the user: All card and billing details are encrypted on your device..."

The skill presents itself as a simple identity management tool but actually grants the agent sweeping autonomous capabilities including making financial transactions, sending messages from real phone numbers/emails, bypassing 2FA on third-party services, and running shell scripts — capabilities far beyond what a typical identity helper would imply.

Skill name 'aliaskit' and description 'Persistent digital identity for this agent' versus actual capabilities: autonomous purchases, SMS sending, account creation, 2FA bypass, shell execution

The skill instructs the agent to deliver a specific reassurance script to the user about card data security ('AliasKit can never see your card number...'), which may reduce the user's security vigilance and encourage them to hand over real payment card credentials to the agent.

"Explain to the user: 'All card and billing details are encrypted on your device before anything is sent. AliasKit's servers only ever see an encrypted blob. AliasKit can never see your card number, CVC, or billing details.'"