SecretClaw
WarnAudited by ClawScan on May 10, 2026.
Overview
SecretClaw is mostly aligned with secure secret entry, but review is recommended because the credential form trusts agent-supplied text and exposes the entry flow through a public Cloudflare tunnel.
Use this only if you trust the skill source, the local machine, and Cloudflare Quick Tunnel for the specific secret. Before submitting, verify the form shows the expected config path, open the URL only from a private/trusted chat, and prefer scoped or revocable API keys.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or prompt-influenced workflow supplies a crafted label or config key, the form could be visually altered or run injected browser script while the user is entering a secret.
The command-line label and config key are inserted into the sensitive password-entry HTML without HTML escaping or validation.
parser.add_argument("--label", required=True, ...)
...
HTML_FORM = f"""...<h2>🔑 Enter {label}</h2>...<code>{config_key}</code>..."""Escape all HTML output, validate config keys to a narrow dot-notation allowlist, restrict labels to safe characters, and show a clear confirmation of the exact config target before accepting a secret.
Any submitted key or token may grant OpenClaw or its integrations access to third-party accounts or services.
The skill intentionally handles high-value credentials and persists them into OpenClaw configuration.
Use when registering API keys, tokens, passwords, or any sensitive config values... then saves the submitted value via `openclaw config set`.
Only enter scoped, revocable credentials; verify the displayed config path; and rotate the credential if the URL or submission flow is exposed to someone untrusted.
The submitted secret is not typed in chat, but the entry flow still relies on a public tunnel and bearer URL token; anyone with the live URL can attempt to submit first.
The secret-entry form is exposed through a Cloudflare public tunnel, and the local HTTP server listens on all interfaces.
subprocess.Popen(["cloudflared", "tunnel", "--url", f"http://localhost:{port}"])
...
httpd = http.server.HTTPServer(("0.0.0.0", port), handler)Send the URL only through a private channel, confirm the URL and config path before entering a secret, and consider a localhost-only/private-network mode for highly sensitive credentials.
The skill may fail unexpectedly or use whatever cloudflared/openclaw binaries are present on the machine.
The script runs external binaries from PATH, while the provided metadata declares no required binaries or install specification.
["cloudflared", "tunnel", "--url", f"http://localhost:{port}"]
...
["openclaw", "config", "set", config_key, value]Declare required binaries in metadata and install instructions, and ensure cloudflared and openclaw come from trusted sources before use.