ClawHub

Passwordstore Broker

Security checks across malware telemetry and agentic risk

Overview

This skill handles secrets through a local password-store workflow, and its sensitive capabilities are disclosed and purpose-aligned, with precautions needed for LAN mode and environment-based secret use.

Install only if you are comfortable using pass/gpg as your local password store and letting the skill run a temporary HTTPS intake server. Prefer localhost mode; use LAN mode only on trusted private networks, protect ~/.passwordstore-broker/totp.secret and the QR/otpauth enrollment output, and run only trusted commands with injected secret environment variables.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return

        try:
            subprocess.run(
                [self.state.vault_script, "put", self.state.secret_name],
                input=secret_value.encode("utf-8"),
                check=True,
Confidence
86% confidence
Finding
subprocess.run( [self.state.vault_script, "put", self.state.secret_name], input=secret_value.encode("utf-8"), check=True, st

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill invokes shell scripts, reads and writes files under the user's home directory, and starts a local/LAN HTTPS intake service, yet it declares no permissions or trust boundaries. That omission can cause downstream systems or users to underestimate the skill's access, especially because it handles highly sensitive credentials and persistent secret material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description frames the skill primarily as a transient secret-broker, but the workflow also provisions and persists a long-lived TOTP seed at ~/.passwordstore-broker/totp.secret, generates enrollment artifacts, and instructs the agent to trust a setup timestamp. That hidden persistence expands the security model substantially: compromise of the local host or that seed can weaken LAN-mode authentication and create a durable foothold for secret intake abuse.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script stores the raw TOTP seed in ~/.passwordstore-broker/totp.secret and emits the full otpauth URL, which contains the secret, in its JSON output and on error paths. This bypasses the skill's stated pass-backed secret flow and increases the chance that the seed is exposed via logs, calling processes, terminal history capture, or downstream tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script serves a self-signed HTTPS form for secret submission but gives the user no warning about certificate trust, browser warnings, or the risk of entering credentials into an untrusted page. In a secret-brokering skill, this omission materially increases phishing and man-in-the-middle risk because users are being trained to bypass browser trust indicators while submitting sensitive data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script retrieves a secret and exports it into the child process environment before executing an arbitrary command. Although this is a common convenience pattern, environment variables are frequently exposed through process inspection, inherited by subprocesses, dumped in crash reports, or logged by invoked tools, so the secret can escape the intended vault boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal