env-secure-manager
WarnAudited by ClawScan on May 18, 2026.
Overview
This secret-management skill is purpose-aligned, but it can broadly read environment variables, expose stored secrets through simple flags, and prints its generated encryption key to logs.
Review carefully before installing. If you use it, do not allow broad loadFromEnv prefixes, avoid showSecrets/listing plaintext secrets, and do not rely on the printed encryption key as safe. There is no evidence of hidden exfiltration or destructive behavior, but the secret-access boundaries are too loose for a security tool.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could pull more local environment secrets into the skill than intended, increasing the chance they are later revealed or mishandled.
The skill can enumerate the process environment and import variables matching a caller-controlled prefix; because z.string() allows broad values such as an empty prefix, this can include unrelated credentials, despite no env/credential requirements being declared in metadata.
action: z.literal("loadFromEnv"), prefix: z.string().optional().default("OPENCLAW_") ... for (const [key, value] of Object.entries(Deno.env.toObject())) { if (key.startsWith(prefix)) { ... } }Declare environment access, restrict imports to an explicit non-empty allowlist, require clear user confirmation for broad imports, and classify common secret names such as TOKEN and PRIVATE_KEY.
Stored secrets could be printed into the agent conversation or logs if the tool is invoked with the reveal flag.
A caller can bulk decrypt and return stored secrets by setting showSecrets=true. This is high-impact secret output controlled only by a tool argument, not by a separate user approval boundary.
z.object({ action: z.literal("list"), showSecrets: z.boolean().optional().default(false) }) ... if (item.encrypted && item.iv && showSecrets) { result[key] = await decrypt(item.value, item.iv); }Avoid bulk secret display by default, require per-secret user confirmation before returning plaintext, and document every secret-revealing parameter clearly.
The key protecting stored secrets may end up in chat history or logs; if encrypted values are also exposed, that key could allow decryption.
The generated encryption key is written to the process environment and printed to console/logs, which conflicts with the skill's anti-leakage security framing.
Deno.env.set("OPENCLAW_ENV_ENCRYPTION_KEY", keyStr); console.warn("⚠️ 自动生成环境变量加密密钥,请保存到安全位置:", keyStr);Do not print encryption keys. Use a secure secret store or return only a non-sensitive fingerprint and clear setup instructions.
Runtime trust includes the referenced deno.land modules, not only the files shown in the skill package.
The skill relies on remote Deno modules that are not included in the manifest. They are version-pinned and appear purpose-aligned, so this is a provenance note rather than a standalone concern.
import { z } from "https://deno.land/x/zod@v3.22.4/mod.ts"; import { crypto } from "https://deno.land/std@0.214.0/crypto/mod.ts";Document remote dependencies and consider vendoring or integrity-pinning them for reproducible installs.