Back to skill

Security audit

SecretClaw

Security checks across malware telemetry and agentic risk

Overview

SecretClaw’s behavior matches its stated purpose, but it handles real secrets through a temporary Cloudflare tunnel and should only be used when that trust model is acceptable.

Install only if you trust the skill source, the local `openclaw` and `cloudflared` binaries, and Cloudflare Quick Tunnel for the secrets you will enter. Treat the generated URL as temporary sensitive access, verify the config path before submitting, and use a local/manual config method if third-party tunnel transit is not acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to run a local server, expose it through a Cloudflare Tunnel, read and write workspace files, and invoke shell commands, yet it declares no permissions. This creates a dangerous mismatch between the visible trust boundary and the actual capabilities, making it easier for an agent or reviewer to approve execution without understanding that the skill can exfiltrate or persist sensitive data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises secret entry outside chat, but it writes active tunnel metadata including the externally reachable URL into a workspace file. That creates a secondary disclosure channel: any local process, user, or tool with workspace access can discover the live secret-entry endpoint and attempt unauthorized submissions if the tokenized URL is also exposed.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Recording Cloudflare tunnel information in a shared workspace expands the exposure surface beyond the stated purpose of collecting a secret. In the context of a secret-entry skill, unnecessary persistence of network-facing metadata is dangerous because it can aid discovery, monitoring, or abuse of the transient endpoint by other local components.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill presents the flow as 'secure' while omitting a clear user-facing warning that the submitted secret is transmitted through a Cloudflare Quick Tunnel, i.e. through a third-party network path rather than staying purely local. Users may disclose highly sensitive credentials under a false assumption about the transmission path, which can violate security policy, compliance requirements, or user expectations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The design sends user secrets through an externally exposed Cloudflare tunnel, but neither the code comments nor the rendered form clearly warn that a third-party service is in the transport path. For a skill whose core purpose is handling API keys and passwords, lack of explicit disclosure materially increases the security and trust risk because users may assume the exchange is strictly local/end-to-end under their control.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The code accesses the user's workspace and writes tunnel metadata without clear runtime disclosure. While this is less severe than transmitting the secret via a third party, it still violates the principle of least surprise for a security-sensitive skill and can leak operational details to other components reading the workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.