ClawHub

Credential Vault

Security checks across malware telemetry and agentic risk

Overview

This is a real local credential vault, but it leaves powerful unlock material on disk and encourages plaintext secret export, so users should review it carefully before use.

Use only for local development unless the session-key design is fixed. Do not use `eval` on untrusted vault output, avoid echoing secrets or writing them to `/tmp` or shared text files, run `vault lock` promptly, and do not rely on this for production or team secret management without adding protected session storage, strict permissions, expiry, and safer export workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents file read/write and shell-based workflows but does not declare corresponding permissions, which weakens user awareness and any policy enforcement built around explicit capability declarations. In a credential-management skill, undeclared filesystem and shell access is especially sensitive because it handles secrets and writes session material to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The description emphasizes encrypted credential storage, but the documented behavior also includes plaintext secret export to the shell, audit-log handling, metadata tracking, and persistence of a reusable session key on disk. This mismatch can cause users to underestimate the exposure surface and use the skill in riskier ways than intended.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code writes the derived session key directly to a predictable file on disk, unencrypted, and later reloads it to consider the vault unlocked. Any local process or user with access to that file can bypass the master password and decrypt all stored secrets, undermining the security model of the vault despite the credential values themselves being encrypted at rest.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The comment says the file stores the unlocked key only 'temporarily', but the implementation persists reusable key material on disk across commands until lock() is called. This mismatch is security-relevant because it can mislead reviewers and users into believing the vault is safer than it is, reducing scrutiny around a mechanism that effectively weakens the vault's lock boundary.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The `env` command enumerates stored secrets and prints them in plaintext as `KEY=VALUE` lines to stdout. In a credential vault context, this materially increases disclosure risk because shell history, terminal scrollback, logs, CI output capture, or process piping can expose all secrets at once.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example normalizes handling secrets in ways that disclose them to stdout, such as printing a prefix of the API key and later using `vault get`/`echo $OPENAI_API_KEY` in debugging flows. Even partial secret output can leak into terminal scrollback, logs, screen recordings, shell history contexts, or observability tooling, increasing the chance of credential exposure during normal use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CI/team-sharing examples export secrets into plaintext files such as `/tmp/prod.env` and `shared_keys.txt`, creating recoverable artifacts on disk. Although one section includes a warning, the guidance still demonstrates a risky workflow that can expose credentials through backups, forensic recovery, other local users, or accidental inclusion in logs and tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly demonstrates printing secrets to stdout and exporting them into the shell environment via `eval $(uv run vault env --tag ...)` without warning about exposure paths such as terminal scrollback, shell history, subprocess inheritance, crash dumps, or accidental logging. In a credential-management skill, normalizing plaintext retrieval increases the chance users will handle secrets unsafely and defeats part of the benefit of encrypted-at-rest storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented `eval $(uv run vault env --tag ...)` pattern injects decrypted secrets directly into the current shell environment, where they may be exposed through shell history, child processes, crash dumps, debugging output, or accidental echo/logging. Because the example lacks a prominent warning, users may treat it as a safe default despite materially increasing plaintext secret exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting the session key to disk without warning or informed consent creates a hidden security downgrade in a product advertised as encrypted credential storage. Users may assume secrets are protected once the vault is locked by password, but the undisclosed session file allows continued decryption by anyone who can read that file during the session window.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code prints credential values directly to stdout without any warning or safeguards. Secret output to stdout is dangerous because it can be captured by logs, copied unintentionally, exposed in shared terminals, or consumed by unrelated tools, causing confidentiality loss.

Credential Access

High
Category
Privilege Escalation
Content
$ uv run vault env --tag production > /tmp/prod.env

# Use in CI
$ source /tmp/prod.env
$ echo $OPENAI_API_KEY
sk-proj-abc123...
Confidence
97% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
- Session key: `~/.openclaw/vault/session` (temporary, cleared on lock)

### Permissions
- Vault file: `0600` (owner read/write only)
- Session key: deleted on `vault lock`

### Threat Model
Confidence
90% confidence
Finding
write only) - Session key: deleted on `vault lock` ### Threat Model **Protects against:** - ✅ Accidental credential leaks (git commits, logs) - ✅ Casual file browsing - ✅ Malware reading `.env` files

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal