ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proton Pass CLI

v1.1.0

Manage Proton Pass vaults, items (logins, SSH keys, aliases, notes), passwords, SSH agent integration, and secret injection into applications. Use when working with Proton Pass for password management, SSH key storage, secret injection (run commands with secrets, inject into templates), environment variable injection, or generating secure passwords. Supports vault/item CRUD, sharing, member management, SSH agent operations, TOTP generation, secret references (pass://vault/item/field), template injection, and command execution with secrets.

0· 2.1k·2 current·2 all-time
by@kakatkarakshay
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the runtime instructions (vault/item management, secret injection, SSH integration). However the registry metadata lists source as unknown and homepage none, which reduces confidence this is an official packaged skill. The SKILL.md also describes functionality (execute commands with secrets injected) that requires the ability to run arbitrary commands — this is coherent with the stated features but materially increases risk.
!
Instruction Scope
The SKILL.md instructs the operator to download & pipe a remote install script (curl | bash or Invoke-WebRequest install.ps1) and to use environment variables or files to hold plaintext secrets (PROTON_PASS_PASSWORD, *_FILE). It explicitly documents 'secret injection' and 'command execution with secrets' (run arbitrary commands with secrets injected), which if executed by an agent or by scripts can exfiltrate secrets or be abused to run arbitrary code. The instructions do not request access to unrelated system files, but they do authorize use of secrets in arbitrary templates/commands — a high-risk capability.
!
Install Mechanism
There is no formal install spec in the registry, but SKILL.md recommends installing via a remote script piped to a shell (https://proton.me/download/pass-cli/install.sh) or a PowerShell script from the same domain, and offers Homebrew as an alternative. Download-and-execute from the network is high risk even when served from an official domain; Homebrew is lower risk. Absence of a documented packaged install in the registry means users/agents might follow the curl|bash route by default.
Credentials
The skill declares no required environment variables, but the instructions describe optional env vars and file-based variables for automation (PROTON_PASS_PASSWORD, PROTON_PASS_TOTP, PROTON_PASS_EXTRA_PASSWORD and *_FILE variants). Those env vars are directly relevant to the CLI, so they are proportionate to the stated purpose — however recommending plaintext credentials in env vars/files is a sensitive practice and should be treated carefully. The secret-injection feature is functionally justified for the described purpose but raises exfiltration risk.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide settings. It allows normal autonomous invocation (disable-model-invocation:false), which is the platform default; combined with the ability to inject and execute secrets, this increases the blast radius if the agent is allowed to call the skill autonomously.
What to consider before installing
This SKILL.md appears to be a usage/install guide for a Proton Pass CLI and is internally consistent, but exercise caution: 1) The registry lists the source as unknown and provides no homepage — verify you obtained the skill from an official/trusted source before installing anything. 2) The install instructions include executing a remote script (curl | bash or install.ps1); prefer package-manager installs (Homebrew or official release assets) or review the install script contents before running. 3) The guide recommends putting credentials in environment variables or files and supports injecting secrets into arbitrary commands/templates — these are convenient but can leak secrets if scripts or agents run untrusted commands. 4) If you allow autonomous agent invocation, explicitly restrict the agent's ability to execute system commands or access sensitive files, and avoid granting broad runtime privileges. 5) If you need this skill, consider: obtaining the official binary from Proton's verified releases, auditing the install script, and using ephemeral/least-privilege automation tokens or file-based secret references rather than persistent plaintext env vars.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dqajdaa3z20bmasypbhyej9805ap1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments