Back to skill

Security audit

Bitwarden CLI

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Bitwarden CLI helper, but it gives an agent broad password-vault authority and recommends risky persistent handling of vault secrets.

Install only if you intentionally want an agent to operate your Bitwarden vault. Avoid persistent .bashrc/.zshrc auto-sourcing of vault secrets, prefer interactive unlock or short-lived environment variables, and require explicit approval before exports, raw output, deletes, Sends, organization/device approvals, or bw serve.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents `bw export`, including JSON, ZIP with attachments, and `--raw` output, without prominent warnings about writing highly sensitive vault contents to disk or stdout. In an agent context, this increases the risk of mass secret exfiltration, accidental logging, or leakage into terminal history, transcripts, or downstream tools.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The documentation states that unlock returns an export command containing BW_SESSION but provides no warning that this session token grants vault access for the session lifetime. In an agent setting, such tokens are especially likely to be captured in logs, transcripts, or tool output and then reused by another process or user.

Missing User Warnings

High
Confidence
93% confidence
Finding
Documenting vault export, especially --raw to stdout and unencrypted formats like csv/json, without a strong warning materially increases the chance of full-secret exfiltration. In this skill context, the command enables bulk extraction of all vault contents, making accidental disclosure or malicious misuse far more damaging than ordinary single-item access.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The serve command exposes vault operations over a REST API, and the reference does not explain the trust boundary, authentication expectations, or the risk of broadening access to secrets through a local service. Even when bound to localhost, local malware, other users on the host, or unsafe origin settings could abuse the API to access vault data.

Session Persistence

Medium
Category
Rogue Agent
Content
3. **Secure session**: Use `bw lock` when done
4. **Protect secrets**: Never log BW_SESSION or BW_PASSWORD
5. **Secure storage**: Keep .secrets file at mode 600, never commit it
6. **Auto-source**: Add to ~/.bashrc or ~/.zshrc for persistent env vars
7. **Verify fingerprints**: Before confirming org members

## Troubleshooting
Confidence
88% confidence
Finding
Add to ~/.bashrc

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
echo ".secrets" >> ~/.openclaw/workspace/.gitignore

# Auto-source in shell config (run once)
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.bashrc
# OR for zsh:
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.zshrc
```
Confidence
93% confidence
Finding
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.bashrc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.