Credential Manager

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed credential-migration tool, but it has broad authority over local secrets and persistent plaintext credential files that users should review carefully before installing.

Install only if you intentionally want OpenClaw credentials centralized in ~/.openclaw/.env. Run scan first, review every discovered path, avoid importing unrelated app secrets or wallet seed phrases by default, do not use --yes until you understand the exact changes, verify or restrict backup permissions, and run cleanup only after testing the new .env and confirming rollback works.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (32)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill describes filesystem reads, writes, and shell-based operations, but the manifest does not explicitly declare those capabilities. That mismatch weakens policy enforcement and informed consent because users and platforms cannot clearly see that the skill will scan credential files, create backups, modify .env files, and delete old files. In a credential-handling skill, hidden or implicit capabilities are more dangerous because they operate on highly sensitive material.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document prescribes cleanup that removes scattered credential files after consolidation, but it does not provide an explicit warning about deletion risk, verification steps, rollback guidance, or safeguards against partial/incorrect merges. In a credential-management skill, destructive actions against secrets are especially sensitive because mistakes can break services or permanently remove access material.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The rule hard-codes a single credential path under a specific home directory and states there are no exceptions, removing user/environment choice. This is risky because it can cause credentials to be written to the wrong account context, break multi-user or multi-environment setups, and encourage unsafe assumptions about where secrets live.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The README explicitly promotes scanning for credential files, consolidating secrets into a single `.env`, and deleting old files, but it does not prominently warn that this workflow handles highly sensitive material and may overwrite or remove credential sources. In a security-focused skill, omission of strong operational cautions can lead users to run destructive secret-handling actions without verifying scope, backups, or destination security.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation language is overly broad: setup, migration, auditing, and enforcing security could match many unrelated contexts and cause the skill to run when users did not intend to expose credential files. Because the skill scans common locations for secrets, accidental invocation increases the chance of unnecessary credential access and modification. Broad triggering is especially risky for a mandatory, high-authority skill.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill openly states that it will scan multiple locations, back up files, consolidate secrets into a new .env, and later clean up old files, but it does not prominently warn that this process reads and copies sensitive secrets across locations. That omission undermines informed consent and can lead users to expose or duplicate credentials unintentionally. In a security tool, failure to clearly disclose sensitive data handling is itself a significant risk.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script is explicitly designed to aggregate secrets, but it does so in a way that silently creates a new centralized secret store and backup copies without clearly warning the user that sensitive credentials will be duplicated on disk. This increases secret sprawl and persistence: users may believe they are improving security while actually creating additional plaintext copies that could be exposed through backups, later permission drift, or operational mistakes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script enumerates and opens likely credential files across the user's home directory, including shell rc files and .env files, without any explicit consent prompt or warning that local secrets will be inspected. Even though it only reports keys and metadata rather than values, reading secret-bearing files is a sensitive operation and can violate user expectations or leak information if run in an automated agent context.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The --fix mode performs state-changing actions such as chmod on the credential file and appending to .gitignore immediately after invocation, without an interactive confirmation or dry-run review. In a credential-management skill, unexpected modification of permission bits or repository ignore rules can affect availability, auditability, or user workflows if run in the wrong directory or against an unintended target path.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # Interactive mode (prompts before changes) ./scripts/consolidate.py # Auto-confirm (no prompts) ./scripts/consolidate.py --yes # Backup only
Confidence: 84% confidence
Finding: Auto-confirm

Credential Access

High

Category: Privilege Escalation
Content: The skill automatically detects credentials by scanning for: **File Patterns:** - `credentials.json` files in config directories - `.env` files - Memory files with `-creds` or `credentials` in the name
Confidence: 98% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices. --- # Credential Manager
Confidence: 97% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices. --- # Credential Manager
Confidence: 97% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices. --- # Credential Manager
Confidence: 97% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: # Add credential-manager scripts to path sys.path.insert(0, str(Path.home() / '.openclaw/skills/credential-manager/scripts')) # Enforce secure .env (exits if not compliant) from enforce import require_secure_env, get_credential require_secure_env()
Confidence: 95% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: #!/usr/bin/env bash set -euo pipefail # Validate .env exists and is secure if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then exit 1 fi
Confidence: 93% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: import os from pathlib import Path # Load .env env_file = Path.home() / '.openclaw' / '.env' with open(env_file) as f: for line in f:
Confidence: 89% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: from pathlib import Path # Load .env env_file = Path.home() / '.openclaw' / '.env' with open(env_file) as f: for line in f: if '=' in line and not line.strip().startswith('#'):
Confidence: 89% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: - Memory files with `-creds` or `credentials` in the name **Sensitive Key Patterns:** - API keys, access tokens, bearer tokens - Secrets, passwords, passphrases - OAuth consumer keys - Private keys, signing keys, wallet keys
Confidence: 98% confidence
Finding: access tokens

Credential Access

High

Category: Privilege Escalation
Content: results = scan_locations() home = Path.home() env_file = home / '.openclaw' / '.env' old_files = [] for result in results:
Confidence: 75% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: # Common credential file patterns CREDENTIAL_PATTERNS = [ "~/.config/*/credentials.json", "~/.config/*/*.credentials.json", "~/.openclaw/workspace/memory/*-creds.json", "~/.openclaw/workspace/memory/*credentials*.json",
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: # Common credential file patterns CREDENTIAL_PATTERNS = [ "~/.config/*/credentials.json", "~/.config/*/*.credentials.json", "~/.openclaw/workspace/memory/*-creds.json", "~/.openclaw/workspace/memory/*credentials*.json", "~/.openclaw/workspace/.env",
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: "~/.openclaw/workspace/skills/*/.env", "~/.openclaw/workspace/skills/*/repo/.env", "~/.openclaw/workspace/scripts/.env", "~/.local/share/*/credentials.json", "~/.*rc", # .bashrc, .zshrc, etc may contain exports ]
Confidence: 93% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: "~/.config/*/*.credentials.json", "~/.openclaw/workspace/memory/*-creds.json", "~/.openclaw/workspace/memory/*credentials*.json", "~/.openclaw/workspace/.env", "~/.openclaw/workspace/.env.*", "~/.openclaw/workspace/skills/*/.env", "~/.openclaw/workspace/skills/*/repo/.env",
Confidence: 94% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: "~/.openclaw/workspace/memory/*credentials*.json", "~/.openclaw/workspace/.env", "~/.openclaw/workspace/.env.*", "~/.openclaw/workspace/skills/*/.env", "~/.openclaw/workspace/skills/*/repo/.env", "~/.openclaw/workspace/scripts/.env", "~/.local/share/*/credentials.json",
Confidence: 94% confidence
Finding: .env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal