ClawHub

Devtools Secrets

Security checks across malware telemetry and agentic risk

Overview

This skill is genuinely about developer secret tooling, but some examples encourage exposing or persisting secrets without enough safeguards.

Install only if you intentionally want an agent helping with local secret-tool setup. Review every export or hook command before running it, avoid printing secrets to stdout or writing them to project .env files, keep generated secret files out of git, and prefer process-scoped injection such as running the target command under the secret tool instead of persisting secrets on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The reference documents `infisical export` to stdout and to output files without immediately warning that both patterns can leak secrets through terminal scrollback, shell history, CI logs, or accidentally committed `.env` files. In a secrets-management skill, omission of those cautions is security-relevant because users may copy the examples directly into unsafe contexts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples show credential material in environment variables and command arguments, including `INFISICAL_TOKEN`, `--client-id`, and `--client-secret`, without nearby guidance about exposure via process lists, shell history, CI echoing, or inherited environments. Although common in documentation, presenting these patterns unqualified in a secrets-focused reference increases the chance of unsafe operational use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook example runs `fnox exec -- env > .env.local`, which materializes all injected environment variables, including secrets, into a plaintext file on disk. Even if intended as an example, this guidance normalizes insecure secret persistence and can lead to accidental commits, local compromise exposure, or leakage through backups and tooling that reads dotenv files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal