ClawHub

# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude.

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate goal of keeping API keys local, but it gives a local MCP server broad, under-scoped power over secrets, network requests, and file writes.

Install only if you are comfortable running a local MCP server that can read and use API keys, make authenticated outbound requests, and modify files. Before trusting it, restrict allowed key names, bind each key to trusted HTTPS domains, limit file operations to a specific workspace, and require explicit confirmation before any write or credentialed request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares no permissions while explicitly handling environment-backed secrets and key-related operations. That mismatch reduces transparency and weakens review controls, making it easier for a high-risk skill to be installed or invoked without appropriate scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is a narrow guardrail, but the documented behavior grants broad secret discovery, arbitrary masked file reads, arbitrary file writes with secret substitution, and arbitrary outbound authenticated requests. This is dangerous because a broadly-triggered skill with these capabilities can be abused as a confused deputy to access credentials, modify files, and exfiltrate data through attacker-chosen destinations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to prevent reading secrets from .env files or scripts, but it exposes arbitrary file read and write tools that operate on attacker-controlled paths. Although read_file_masked attempts redaction, it still permits broad local file access and write_file_with_keys can materialize real secrets into any file, violating the guardrail's stated purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
write_file_with_keys substitutes real secret values into arbitrary file content and writes the result to any resolved path. This enables persistence or relocation of credentials into scripts, config files, logs, or world-readable locations, creating a direct secret exposure channel despite the tool's guardrail branding.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Listing all available key names from .env and shell profiles expands the disclosure surface beyond what is needed to safely broker API calls. Even without values, secret names reveal which providers, environments, and internal systems are in use, which can aid targeted abuse or social engineering.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Triggering on any request to call an external API is overly broad and can cause the skill to activate in many normal workflows unrelated to secret protection. Because the skill exposes sensitive operations through MCP, unnecessary invocation increases the chance that user content gets routed through high-privilege tooling without clear need.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The condition 'Debug why an API call is failing' is ambiguous and not limited to key-related troubleshooting. In context, that ambiguity matters because it can route broad debugging tasks into a skill that can inspect files, validate secrets, and make authenticated outbound requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file-writing tool performs local writes immediately, with no confirmation gate, destination restrictions, or user-visible warning at execution time. In an agent setting, this increases the risk of unintended or stealthy modification of local files, especially when combined with secret substitution.

Missing User Warnings

High
Confidence
99% confidence
Finding
call_api injects local credentials into requests to any user-supplied URL without origin allowlisting or confirmation. This lets an attacker route secrets to an arbitrary host via the Authorization header, effectively exfiltrating local API keys while preserving the claim that the raw key was never shown to Claude.

Session Persistence

Medium
Category
Rogue Agent
Content
You can now safely view and suggest edits to the non-key parts.

### Tool 4: `write_file_with_keys`
Write a file back after editing, with `{{KEY_NAME}}` placeholders substituted with real key values locally.
```
Call: write_file_with_keys({
  file_path: "./call.sh",
Confidence
94% confidence
Finding
Write a file back after editing, with `{{KEY_NAME}}` placeholders substituted with real key values locally. ``` Call: write_file_with_keys({ file_path: "./call.sh", content: "curl -H 'Authorizatio

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal