ClawHub

ipeaky

Security checks across malware telemetry and agentic risk

Overview

This looks like a real API-key manager, but it needs Review because it overstates secret-safety guarantees and bundles high-impact Stripe billing scripts beyond the core purpose.

Install only after reviewing the credential-handling limits. Prefer the v3 single-key storage path over v4 until v4 avoids visible input and argv/env exposure. Do not run the paid-tier Stripe scripts unless you intentionally want this skill to store a Stripe secret and create checkout sessions. Treat every key test as sending the key to that provider, and use test or least-privileged keys where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents shell execution, config reads/writes, and access to environment-backed secrets, but does not declare corresponding permissions. This creates a trust and policy bypass problem: reviewers and runtime controls may underestimate what the skill can do, while the skill handles highly sensitive API credentials and modifies persistent configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is secure local API-key management, but the document also introduces unrelated paid-tier and Stripe billing operations plus additional persistence/monitoring behaviors noted by analysis. Mixing credential management with payment flows broadens the attack surface and can mislead users into granting sensitive capabilities under a narrower trust assumption.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill claims keys never touch the network, but its testing instructions explicitly send stored API keys to third-party vendor endpoints. This is dangerous because users may rely on the stronger privacy claim and unknowingly authorize external transmission of secrets.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation says keys never touch the network in the preferred storage flow, but later sections provide live testing steps that do transmit the key externally. Even if storage itself is local-only, the unqualified claim is misleading for a security-sensitive workflow involving credentials.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Paid-tier billing and Stripe checkout are unrelated to the core job of local API-key management, yet they are embedded in the same skill. This unnecessary coupling increases exposure to financial abuse, secret misuse, and user deception because a credential utility now also initiates payment-related actions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script explicitly adds paid-tier Stripe checkout functionality, which is outside the declared purpose of the skill as secure API-key management. That scope expansion is dangerous because a user or operator may trust the skill with secrets-management duties while it also contains monetization/payment code that can trigger external financial flows and consume stored Stripe credentials.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code actively creates Stripe Checkout sessions using a secret key retrieved from configuration, introducing financial transaction capability unrelated to the advertised key-management context. In a secrets-management skill, hidden or secondary payment logic is especially risky because it can misuse stored credentials and cause unauthorized billing flows or social-engineering abuse under the guise of routine key setup.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script tells users their Stripe secret key is stored in openclaw.json and is 'encrypted at rest by OS keychain,' but the shown code does not establish or verify that protection. Misrepresenting secret storage guarantees can cause users to trust plaintext or weakly protected credential storage, increasing the chance of API key disclosure from local files, backups, or other skills/processes.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script accepts arbitrary dotted config paths and writes the supplied secret to any location in openclaw.json, not just approved API-key fields. In a skill context, this creates a broad configuration-modification primitive that could alter unrelated security-relevant settings, making the skill more dangerous than its stated purpose of key storage.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script’s safety claim is misleading because secret values are passed to subprocesses as command-line arguments, notably `openclaw config set "$CONFIG_PATH" "$KEY_VAL"`. On many systems, process arguments can be visible to other local processes via tools like `ps`, activity monitors, or auditing mechanisms, so secrets may be exposed despite the comment claiming 'zero exposure.' In a key-management skill, this is more dangerous because users are explicitly encouraged to paste highly sensitive credentials and may trust the no-exposure guarantee.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The live validation tests pass API keys directly in curl header arguments, which can expose secrets via the local process list to other users or monitoring tools on the same machine. This contradicts the script's broader goal of secure key handling and creates an avoidable secret-disclosure path during testing.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "store my key" is broad enough that it could activate during ordinary conversation or when a user is discussing secrets abstractly, causing the skill to prompt for or handle sensitive credentials unexpectedly. In a credential-management skill, accidental activation is more dangerous than usual because it can lead users into entering API keys when they did not intend to invoke the storage workflow.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to activate on common setup or troubleshooting requests that may not specifically intend key management. In a skill that handles secrets and persistent config changes, overbroad activation increases the chance of unintended invocation and unsafe prompting around credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The testing workflow instructs the system to send the key to vendor endpoints but does not clearly warn the user that secret material will be transmitted off-host. For a security-focused skill, omission of that warning undermines informed consent and may violate user expectations about secrecy boundaries.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
After collecting the key, the script silently writes configuration changes and restarts the gateway without an explicit runtime confirmation describing those side effects. In a user-triggered agent skill, this can cause unexpected configuration changes or service disruption, especially because the skill already has the ability to write arbitrary config paths.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically uses environment-provided API keys to make real outbound requests, but the file does not present an explicit warning at the point of use about external transmission or billing/privacy implications. In a test suite for secret-management tooling, silent live validation increases the chance of users unintentionally sending production credentials to third-party services.

External Transmission

Medium
Category
Data Exfiltration
Content
Test endpoints:
- **OpenAI**: `curl -s -H "Authorization: Bearer $KEY" https://api.openai.com/v1/models | head`
- **ElevenLabs**: `curl -s -H "xi-api-key: $KEY" https://api.elevenlabs.io/v1/user`
- **Anthropic**: `curl -s -H "x-api-key: $KEY" -H "anthropic-version: 2023-06-01" https://api.anthropic.com/v1/messages -d '{"model":"claude-3-haiku-20240307","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'`
- **Brave Search**: `curl -s -H "X-Subscription-Token: $KEY" "https://api.search.brave.com/res/v1/web/search?q=test&count=1"`
Confidence
78% confidence
Finding
curl -s -H "xi-api-key: $KEY" https://api.elevenlabs.io/v1/user` - **Anthropic**: `curl -s -H "x-api-key: $KEY" -H "anthropic-version: 2023-06-01" https://api.anthropic.com/v1/messages -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Testing a Key

Test endpoints:
- **OpenAI**: `curl -s -H "Authorization: Bearer $KEY" https://api.openai.com/v1/models | head`
- **ElevenLabs**: `curl -s -H "xi-api-key: $KEY" https://api.elevenlabs.io/v1/user`
- **Anthropic**: `curl -s -H "x-api-key: $KEY" -H "anthropic-version: 2023-06-01" https://api.anthropic.com/v1/messages -d '{"model":"claude-3-haiku-20240307","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'`
- **Brave Search**: `curl -s -H "X-Subscription-Token: $KEY" "https://api.search.brave.com/res/v1/web/search?q=test&count=1"`
Confidence
78% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Test endpoints:
- **OpenAI**: `curl -s -H "Authorization: Bearer $KEY" https://api.openai.com/v1/models | head`
- **ElevenLabs**: `curl -s -H "xi-api-key: $KEY" https://api.elevenlabs.io/v1/user`
- **Anthropic**: `curl -s -H "x-api-key: $KEY" -H "anthropic-version: 2023-06-01" https://api.anthropic.com/v1/messages -d '{"model":"claude-3-haiku-20240307","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'`
- **Brave Search**: `curl -s -H "X-Subscription-Token: $KEY" "https://api.search.brave.com/res/v1/web/search?q=test&count=1"`
Confidence
78% confidence
Finding
https://api.elevenlabs.io/

External Transmission

Medium
Category
Data Exfiltration
Content
Test endpoints:
- **OpenAI**: `curl -s -H "Authorization: Bearer $KEY" https://api.openai.com/v1/models | head`
- **ElevenLabs**: `curl -s -H "xi-api-key: $KEY" https://api.elevenlabs.io/v1/user`
- **Anthropic**: `curl -s -H "x-api-key: $KEY" -H "anthropic-version: 2023-06-01" https://api.anthropic.com/v1/messages -d '{"model":"claude-3-haiku-20240307","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'`
- **Brave Search**: `curl -s -H "X-Subscription-Token: $KEY" "https://api.search.brave.com/res/v1/web/search?q=test&count=1"`

Source the key from the config (via gateway config.get), test it, report result. Never show the key.
Confidence
79% confidence
Finding
https://api.anthropic.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- **OpenAI**: `curl -s -H "Authorization: Bearer $KEY" https://api.openai.com/v1/models | head`
- **ElevenLabs**: `curl -s -H "xi-api-key: $KEY" https://api.elevenlabs.io/v1/user`
- **Anthropic**: `curl -s -H "x-api-key: $KEY" -H "anthropic-version: 2023-06-01" https://api.anthropic.com/v1/messages -d '{"model":"claude-3-haiku-20240307","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'`
- **Brave Search**: `curl -s -H "X-Subscription-Token: $KEY" "https://api.search.brave.com/res/v1/web/search?q=test&count=1"`

Source the key from the config (via gateway config.get), test it, report result. Never show the key.
Confidence
78% confidence
Finding
https://api.search.brave.com/

External Transmission

Medium
Category
Data Exfiltration
Content
echo "  Price: $PRICE_ID"
echo ""

RESPONSE=$(curl -s -w "\n%{http_code}" \
    -X POST https://api.stripe.com/v1/checkout/sessions \
    -u "$STRIPE_SECRET_KEY:" \
    -d "mode=$MODE" \
Confidence
88% confidence
Finding
curl -s -w "\n%{http_code}" \ -X POST https://api.stripe.com/v1/checkout/sessions \ -u "$STRIPE_SECRET_KEY:" \ -d "mode=$MODE" \ -d "line_items[0][price]=$PRICE_ID" \ -d "line_item

External Transmission

Medium
Category
Data Exfiltration
Content
BODY=$(echo "$CONFIG_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('body') or '')")

if [ -n "$BODY" ] && [ "$BODY" != "None" ] && [ "$BODY" != "null" ]; then
  HTTP_CODE=$(curl -s -o "$RESP_FILE" -w "%{http_code}" \
    -X "$METHOD" \
    -H @"$HFILE" \
    -d "$BODY" \
Confidence
92% confidence
Finding
curl -s -o "$RESP_FILE" -w "%{http_code}" \ -X "$METHOD" \ -H @"$HFILE" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal