ClawHub

Bitwarden Secrets

v1.0.0

Safely access Bitwarden or Vaultwarden secrets via the bw CLI with redacted outputs by default. Use for vault sync, item search, metadata retrieval, and (onl...

2· 600·0 current·0 all-time
byClawBow_@clawbow
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the code is a small wrapper around the bw CLI providing redacted metadata views, search, sync, and an explicit reveal path. Required vault items and bw session usage are consistent with Bitwarden/Vaultwarden integration.
Instruction Scope
SKILL.md instructions are specific and limited: run the Python wrapper or source the bootstrap helper. The runtime steps only invoke the local bw CLI, parse its JSON, and print redacted JSON by default. The reveal action is gated by an environment variable and an explicit confirmation token, as documented.
Install Mechanism
No install spec or external downloads; this is an instruction-only skill with included helper scripts. Nothing is fetched from remote URLs and no archives are extracted, so install risk is low.
Credentials
The registry metadata lists no required env vars, but the scripts and SKILL.md clearly require BW_SESSION (from bw unlock) and optionally BW_PASSWORD for initial unlock; vw_env_export.sh expects BW_SESSION and will read items from the vault to produce BW_CLIENTID/BW_CLIENTSECRET/BW_PASSWORD. This is proportionate to the skill's purpose, but the lack of declared required env vars in the metadata is an inconsistency the user should be aware of.
Persistence & Privilege
always:false and default autonomous invocation settings are normal. The skill does not persist system-wide changes or modify other skills; bootstrapping only exports variables into the current shell when deliberately sourced by the user.
Assessment
This skill appears to do what it claims, but review these before installing/using: 1) Ensure the bw CLI is installed and you understand BW_SESSION: the scripts require an unlocked session (BW_SESSION) and will read vault items to populate BW_CLIENTID/BW_CLIENTSECRET/BW_PASSWORD into your shell when you source the bootstrap — that exposes those values to the current shell environment until you unset them. 2) Confirm the expected vault items (oc-bw-clientid, oc-bw-clientsecret, oc-bw-password or overrides) exist and contain the intended values. 3) The 'reveal' command will output secret values to stdout if you explicitly set VW_REVEAL_ALLOW=1 and pass --confirm YES_REVEAL; only use reveal in a trusted environment. 4) The registry metadata does not declare BW_SESSION/BW_PASSWORD even though the scripts use them — treat this as a metadata omission (not an immediate red flag) and avoid running in untrusted shells. 5) If you want stronger safety, run the scripts in an isolated shell or container, inspect the included scripts yourself, and avoid granting the agent unattended access to BW_SESSION or the ability to run the bootstrap automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk976t7qezkqq289a7cspvkdrzs819jmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments