ClawHub

Dashpass

Security checks across malware telemetry and agentic risk

Overview

DashPass is a real credential-vault skill, but it gives an agent broad power to reveal, export, and delete secrets with weaker safeguards than its security claims imply.

Review carefully before installing. Use it only in a controlled testnet or non-production setup unless you add your own approval gates. Avoid production secrets and mainnet wallet keys, avoid eval-based env export, disable or isolate logs around secret retrieval, and assume any retrieved secret may be visible to the agent and its surrounding tooling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as an encrypted credential vault for storing and retrieving secrets, but the contract also defines an on-chain accessLog document that records service names, actions such as get/export/delete, agent identifiers, and timestamps. That creates additional sensitive metadata collection and persistence beyond the stated purpose, which can expose operational behavior and access patterns even if credential contents remain encrypted.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
On-chain logging of agent access metadata is risky in a credential-vault context because it reveals which services are used, when they are accessed, and which agent performed the action. In a secrets-management product, this metadata can itself be highly sensitive, enabling profiling, targeting, or inference of privileged operations, and immutable on-chain storage makes later redaction difficult or impossible.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The `env` command emits shell code intended for `eval`, which turns secret retrieval into command execution in the caller's shell context. If service names, output encoding, or upstream data are ever manipulated, this pattern can lead to shell injection; even without injection, exporting secrets broadly into the environment increases exposure to child processes, shell history mistakes, and debugging/logging leaks.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document makes a strong security claim that the AI 'cannot exfiltrate' the private key from environment variables, while also stating the system uses the user's key from the local environment. In an AI-agent credential-management skill, that assurance is unsafe because any process with access to secrets in the runtime may be able to read, misuse, or relay them unless strict isolation is actually enforced and documented; overstated guarantees can cause users to adopt a riskier trust model than the system truly provides.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The `env` command decrypts stored secrets and prints shell `export` statements to stdout, enabling easy exfiltration through terminal logs, command substitution, process capture, shell history workflows, CI logs, or accidental redirection. In an AI-agent credential vault, emitting plaintext secrets is especially risky because agent frameworks often capture and forward stdout, so this materially expands exposure beyond storage/retrieval.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The CLI handles `CRITICAL_WIF` directly and adds commands to split and manage shares of the wallet private key itself, which is a far more sensitive capability than ordinary vault CRUD. That broadens the trust boundary of the tool: compromise, misuse, or operator confusion could expose the identity-signing key that protects the entire vault and potentially other wallet functions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance is broad enough to trigger this skill for generic 'credential management strategy' or comparison discussions, not just concrete vault operations. In an agent environment, that increases the chance the skill is invoked in contexts where secrets may be handled, exported, deleted, or discussed without a narrowly scoped user request, expanding the blast radius for misuse or accidental disclosure.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The quick-reference section presents sensitive operations such as retrieval, deletion, rotation, and especially `eval $(node $CLI env ...)` without adjacent warnings about disclosure, shell injection risk, or destructive effects. In a credential-management skill, concise examples are likely to be copied verbatim, so missing safety guardrails materially increase the chance of accidental secret exposure or unsafe execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages `eval $(node dashpass-cli.mjs env ...)` without prominently warning that this executes generated shell code and spreads secrets into the current shell environment. This can enable command injection if output is not perfectly escaped and can also cause secrets to persist in process environments where other tools, subprocesses, crash reports, or logs may expose them.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The document acknowledges that service names and credential types are visible on-chain, but presents this only later as a limitation instead of as a prominent privacy warning near the main trust claims. For a credential vault, metadata can itself be highly sensitive because it reveals providers, infrastructure, vendors, and operational relationships, enabling profiling or targeted attacks even if secret values remain encrypted.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The `delete` command removes all matching credential documents for a service immediately, with no confirmation prompt, dry-run, or `--force` safeguard. In agentic or scripted contexts, a typo or maliciously influenced invocation can irreversibly destroy secrets and break dependent services, causing availability and recovery issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This command emits decrypted credential values directly as shell export statements without a prominent warning that stdout now contains secrets. That is dangerous because many operational environments—including AI agents, wrappers, CI systems, terminals, and logging infrastructure—record stdout by default, turning normal use into plaintext secret disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to export a private key into an environment variable, but does not warn that environment variables can be exposed through shell history, process listings, inherited subprocess environments, crash dumps, or CI logs. In a credential-vault skill, this is especially sensitive because the WIF is the root secret used to decrypt stored credentials, so compromise of the variable can expose the entire vault.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The retrieval examples print decrypted secret values directly to the terminal, including a pipe-friendly mode intended for scripting, without warning that terminals, shell scrollback, session recording, logs, and downstream command pipelines may capture the secret. Given this skill’s purpose is handling API keys and passwords, normalizing plaintext display increases the chance of accidental disclosure during routine use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal