ClawHub

env-secure-manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a real environment-secret manager, but its secret protections are weak enough that users should review it carefully before trusting it with credentials.

Review before installing. Use this only where skill invocation is tightly controlled, avoid broad loadFromEnv prefixes, do not rely on allowSecret/showSecrets as real authorization, and supply encryption keys through a secure channel rather than allowing generated keys to appear in logs. There is no artifact evidence of exfiltration, destructive behavior, or hidden persistence, so this is Review rather than malicious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill advertises permission control for secrets, but access control is implemented only as caller-provided booleans like allowSecret/showSecrets. Any caller able to invoke the skill can simply set these flags and retrieve decrypted secrets, so there is no real authorization boundary. In a secret-management skill, this mismatch materially increases the risk of credential disclosure.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
When no key is provided, the skill generates an AES key and prints it directly to the console. Console logs are often collected, persisted, or exposed to operators and other systems; anyone with log access can decrypt all stored secrets. This directly contradicts the stated goal of preventing credential leakage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The loadFromEnv action bulk-reads all process environment variables matching a caller-controlled prefix and imports them into the skill store, classifying some as secrets. In an agent setting, this can expose sensitive runtime credentials to untrusted callers or prompts by making them available through subsequent get/list/redact operations, especially since secret retrieval controls are weak.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal