Cxz9909 Credential Manager

Security checks across malware telemetry and agentic risk

Overview

This credential-management skill has a coherent purpose, but it asks for broad authority over sensitive secrets, including scanning, copying, centralizing, and deleting credential files.

Install only if you intend to let this skill inspect and reorganize local secrets. Run scan-only first, avoid --yes and cleanup until you have reviewed every file, do not consolidate wallet seed phrases or private keys into plaintext unless you explicitly accept that risk, and verify backup permissions or use an encrypted secret manager for high-value credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill describes capabilities to scan the filesystem, read credential files, write a consolidated .env, modify .gitignore, and invoke shell scripts, but it does not declare explicit permissions or bounds for those actions. That mismatch is dangerous because a host agent may grant broad implicit access, allowing sensitive file discovery and modification without transparent user consent or enforcement of least privilege.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The scanner reaches beyond OpenClaw-specific locations by including generic shell rc files like ~/.bashrc and ~/.zshrc, which commonly contain unrelated personal or system secrets. That broadens collection scope unnecessarily and can expose credentials unrelated to the stated migration purpose, violating least-privilege expectations for a setup utility.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The --paths argument allows callers to extend scanning to arbitrary filesystem locations, turning a targeted credential migration helper into a general file-enumeration tool. In an agent context, this can be abused to inspect sensitive directories outside the intended workspace and discover secret-bearing files.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The document hard-codes a specific absolute path under a named user home directory, which can cause credentials to be centralized into the wrong account or copied into an unexpected location on systems with different users or privilege boundaries. In a credential-management skill, this is more dangerous because it directs handling of sensitive secrets and may encourage operators to place all credentials in a predictable path without validating ownership, environment, or multi-user isolation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The rule describes scanning, consolidating, and removing credential files, but does not prominently warn about deletion risk, conflict resolution, rollback procedure, or the consequences of consolidating the wrong files. In this context, destructive handling of secrets is especially risky because accidental deletion, overwriting, or partial merges can break services and cause credential loss or insecure recovery behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly says the skill will clean up scattered credential files after migration, but it does not pair that destructive action with a strong warning to verify backups, confirm target paths, and manually inspect the consolidated .env before deletion. In a credential-management context, accidental deletion or premature cleanup can cause credential loss, service outages, or removal of the only recoverable copy of a secret.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The documentation mandates a single credential location and explicitly states users are 'forced to fix it,' creating a fail-closed control with no exception path for valid environments such as secret managers, containerized deployments, or enterprise credential stores. This is dangerous because it can push users toward insecure centralization or break safer deployment models in order to satisfy the skill's policy.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This documentation describes broad credential discovery, normalization, and consolidation across many services, including generic secret patterns, but does not warn that the process will scan for and process highly sensitive material. In a credential-management skill, that omission matters because users may run it in repositories or home directories containing unrelated secrets, increasing the risk of over-collection, accidental inclusion in a unified .env, or mishandling during backup and migration workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The backup routine duplicates secret-bearing files into a backup directory without setting restrictive permissions or warning the operator that credential material will be copied again. This increases secret exposure by leaving additional plaintext copies on disk, and the copies inherit default umask behavior rather than an explicitly enforced secure mode.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script aggregates credentials from multiple sources into a single ~/.openclaw/.env file, concentrating many secrets into one location without an upfront warning about the security tradeoff. While consolidation can improve manageability, it also creates a high-value target and may surprise users who did not intend broad secret aggregation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script scans files likely to contain secrets and reports metadata about them, but it does not present an explicit warning, consent gate, or safe-handling notice before accessing sensitive material. In agent-driven workflows, silent secret discovery increases the chance of overcollection and unexpected exposure of credential locations and names.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # Interactive mode (prompts before changes) ./scripts/consolidate.py # Auto-confirm (no prompts) ./scripts/consolidate.py --yes # Backup only
Confidence: 78% confidence
Finding: Auto-confirm

Credential Access

High

Category: Privilege Escalation
Content: The skill automatically detects credentials by scanning for: **File Patterns:** - `credentials.json` files in config directories - `.env` files - Memory files with `-creds` or `credentials` in the name
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices. --- # Credential Manager
Confidence: 90% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices. --- # Credential Manager
Confidence: 90% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices. --- # Credential Manager
Confidence: 90% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: # Add credential-manager scripts to path sys.path.insert(0, str(Path.home() / '.openclaw/skills/credential-manager/scripts')) # Enforce secure .env (exits if not compliant) from enforce import require_secure_env, get_credential require_secure_env()
Confidence: 88% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: #!/usr/bin/env bash set -euo pipefail # Validate .env exists and is secure if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then exit 1 fi
Confidence: 87% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: import os from pathlib import Path # Load .env env_file = Path.home() / '.openclaw' / '.env' with open(env_file) as f: for line in f:
Confidence: 84% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: from pathlib import Path # Load .env env_file = Path.home() / '.openclaw' / '.env' with open(env_file) as f: for line in f: if '=' in line and not line.strip().startswith('#'):
Confidence: 82% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: - Memory files with `-creds` or `credentials` in the name **Sensitive Key Patterns:** - API keys, access tokens, bearer tokens - Secrets, passwords, passphrases - OAuth consumer keys - Private keys, signing keys, wallet keys
Confidence: 93% confidence
Finding: access tokens

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal