ClawHub

Bitwarden Secrets

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Bitwarden helper, but optional setup scripts can expose full vault credentials despite the skill promising redacted, single-secret access.

Review before installing. The redacted `vw_cli.py` workflow is comparatively contained, but avoid the bootstrap/env-export flow as written unless you accept plaintext vault credentials in shell output, environment variables, and possibly `/tmp`. Run as a non-root user, delete any generated export file immediately, and reveal only one secret field after explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands and relies on environment variables such as BW_SESSION and VW_REVEAL_ALLOW, but it does not declare permissions for those capabilities. Undeclared shell/env access weakens reviewability and least-privilege guarantees, which is especially sensitive here because the skill interfaces with a password vault and can sync, query, and under some conditions reveal secret fields.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exports multiple high-value secrets into the current shell, including BW_PASSWORD, BW_CLIENTID, BW_CLIENTSECRET, and BW_SESSION, which broadens exposure well beyond narrowly scoped redacted access. Any subsequent command, child process, debug output, crash report, or shell history mishandling in that environment can access these credentials, enabling vault unlock and API use without the single-secret confirmation model described in the skill metadata.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script retrieves three vault secrets and prints them in plaintext as shell export commands, which directly contradicts the skill description that outputs are redacted by default and that secret revelation should require explicit confirmation. In an agent context, stdout is commonly logged, surfaced to users, or passed to other tools, so this creates a clear secret disclosure path.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script performs bulk extraction of multiple sensitive credentials (client ID, client secret, and master password) and emits all of them at once, which exceeds the stated behavior of revealing only a single secret field with explicit confirmation. Bulk export increases blast radius: a single invocation discloses enough material to enable further vault or account access if captured.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment suggests 'secure local use,' but the implementation outputs plaintext secrets to stdout for shell evaluation, which is not inherently secure because stdout may be recorded in shell history, terminal scrollback, agent traces, or logs. This mismatch can mislead users into unsafe handling of highly sensitive credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script accesses and emits sensitive credentials without any explicit warning, consent prompt, or indication that running it will disclose plaintext secrets. In a skill ecosystem where the description promises redaction by default, the missing warning makes accidental exposure more likely and increases the chance of unsafe agent-driven execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal