Skillv1.0.0

ClawScan security

Cxz9909 Credential Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 12:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (scan, consolidate, secure a single ~/.openclaw/.env) but contains several aggressive, inconsistent, and high-impact choices (mandatory enforcement, file-deletion cleanup, hardcoded path in docs, contradictory backup guidance) that deserve careful review before use.
Guidance: This skill implements an aggressive 'single .env' policy and will read, back up, consolidate, and (if you confirm) delete credential files across your home directory. Before installing or running it: 1) Review the scripts locally (scan.py, consolidate.py, backup/cleanup) to ensure they match your expectations — they act on many paths and will copy sensitive files into backups and into a single ~/.openclaw/.env. 2) Note mismatches: CONSOLIDATION-RULE.md hardcodes a user path (/home/phan_harry), and docs recommend encrypted backups but the current backup implementation copies files unencrypted. 3) Test in a safe environment (non-production account or VM) and run scan.py and consolidate.py with --backup-only and without --yes to inspect findings. 4) Verify backups are encrypted or move them to an encrypted store before deleting originals. 5) Consider whether the 'never use environment variables/CLI args' rule fits your deployment model (CI, containers, secret managers). 6) If you intend to use enforce.py across other skills, be aware it will cause those scripts to exit unless the centralized .env exists and is 600; that can break automation. 7) If you want to adopt this tool, modify it to: encrypt backups, provide configurable exception policies (allow CI/service account patterns), remove hardcoded path artifacts, and log-safe auditing. If you are uncomfortable with a single-file consolidation of high-value secrets (private keys, mnemonics), prefer a secret manager or encrypted key store instead.

Review Dimensions

Purpose & Capability: noteThe name/description match the code: the package scans for credential files, consolidates them into ~/.openclaw/.env, validates permissions, and can remove scattered files. That functionality is coherent with a 'credential manager'. However, documentation enforces a blanket "MANDATORY" policy and even contains a hardcoded path (/home/phan_harry/.openclaw/.env) in CONSOLIDATION-RULE.md — an odd artifact that doesn't match the scripts which use Path.home(). The strict 'root-only' requirement and disallowing credentials via environment variables or CLI args are design choices that are plausible for a particular security model but are unusually restrictive and may not be appropriate for many environments (CI, containers, team workflows).
Instruction Scope: concernRuntime instructions and scripts scan many user locations (including ~/.config, ~/.local/share, and shell rc files), read potentially every credential-containing file, back up copies, and (with explicit confirmation) delete scattered files. While within the stated purpose, this is high-impact: it centralizes all secrets into one file (single blast radius) and the cleanup step will permanently delete files if confirmed. The SKILL.md's mandatory language and enforce.py suggest other skills should import this to refuse to run unless the .env exists — this creates cross-skill enforcement that may break legitimate workflows. The instructions do not reference any external network endpoints; the scripts do not appear to transmit data externally.
Install Mechanism: okThere is no external install/download step in the skill package (no brew/npm/download URLs). The code is included in the skill bundle (Python scripts). That reduces supply-chain risk versus arbitrary remote downloads. Installing the skill will place these scripts on disk (they will be executed locally), which is expected for a utility of this nature.
Credentials: concernThe skill declares no required environment variables, yet its policy forbids using environment variables or CLI args for credentials (CORE-PRINCIPLE.md). The scripts operate on many files across the user's home directory and consolidate all secret types (API keys, private keys, mnemonics) into one file. That increases the value of the single file: if the .env is later exposed, many otherwise-isolated secrets become compromised. The docs recommend encrypted backups, but the backup implementation (backup_files) copies files to backups in plaintext — a mismatch between the claimed safeguards and actual behavior. The consolidation also normalizes and copies private keys and mnemonics without additional encryption at rest.
Persistence & Privilege: noteThe skill is not always:true and does not modify other skills' files automatically. However, its enforce.py promotes a fail-fast model other skills can import to refuse execution unless the centralized .env exists and has correct permissions — this gives the credential manager strong policy enforcement capability across an installation if other skill authors adopt it. The skill itself does cleanup and can delete files (with confirmation), which is an elevated action but not an automatic privilege escalation.