ClawHub

Bitwarden CLI

Security checks across malware telemetry and agentic risk

Overview

This Bitwarden helper is transparent about its purpose, but it gives an agent broad password-vault authority and normalizes risky credential handling without enough guardrails.

Review before installing. Use this only if you intentionally want an agent to operate your Bitwarden vault. Prefer interactive unlock or short-lived secrets over auto-sourced .secrets files, require explicit approval before exports, deletes, Sends, organization/device approvals, or bw serve, and avoid raw exports or logging any retrieved secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to persistently source a plaintext secrets file from shell startup files, causing Bitwarden credentials to be loaded into every new shell session. This unnecessarily broadens exposure of the master password and related secrets to unrelated commands, subprocesses, shell history mistakes, debugging output, and other local tooling beyond the password-manager use case.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Documenting `bw serve` within a password-manager skill expands the apparent operational scope to running a local REST API over the vault, which materially increases attack surface. In this context, an agent could be induced to start a service that exposes sensitive vault operations to other local processes or, if misconfigured, broader network access.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description includes broad phrases such as 'vault', 'generate password', and 'get password', which can cause the skill to activate in contexts where the user did not intend Bitwarden CLI operations. In a credential-management skill, overbroad invocation is risky because accidental activation can lead to sensitive vault access, credential retrieval, or export-related actions in the wrong workflow.

Missing User Warnings

High
Confidence
94% confidence
Finding
The documentation provides full-vault export commands, including JSON, encrypted JSON, ZIP, and stdout/raw output, without an explicit warning that these operations can exfiltrate the entire vault and attachments. In the context of a password-manager skill, presenting export as a normal operation without strong guardrails materially increases the risk of catastrophic credential disclosure.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The global options include `--raw`, `--response`, `--quiet`, and especially `--session <key>` without warning that these can surface or accept highly sensitive material. In a skill centered on password-manager operations, omission of exposure guidance increases the chance that secrets are printed, logged, or passed insecurely between tools.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The login and unlock examples show passwords supplied as command arguments and from environment variables or files, but do not warn that command-line arguments may be exposed via shell history or process listings and that env/file sources also require careful protection. Because this skill directly handles credential-manager authentication, unsafe examples materially raise credential leakage risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The export command can write an entire vault to disk or stdout, including highly sensitive credentials, but the documentation omits any warning about plaintext exposure, insecure storage, shell redirection, or downstream logging. In the context of a password-manager skill, this is especially dangerous because it normalizes one of the highest-impact exfiltration paths.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `serve` command starts a REST API over Bitwarden data, yet the reference only notes `--disable-origin-protection` as not recommended and does not explain that even local API exposure creates a new access surface for vault operations. Given the skill's password-manager context, omission of a strong warning understates the risk of unauthorized access, token misuse, or service exposure through bad binding or local compromise.

Ssd 3

High
Confidence
98% confidence
Finding
The skill normalizes storing the Bitwarden master password in a plaintext .secrets file and then wiring that file into shell startup behavior. Even with chmod 600, plaintext at-rest storage of a vault master password significantly increases compromise risk from local malware, backups, accidental copies, editor plugins, and process/environment leakage.

Ssd 3

High
Confidence
97% confidence
Finding
The workaround advises storing both email and master password in a sourced secrets file and replaying them for login, which expands the attack surface from unlock-time exposure to reusable login credentials. This is especially dangerous because it turns highly sensitive authentication material into routine shell-managed state that may be inherited, logged, or reused by unrelated processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal