Skillv1.0.1

ClawScan security

# key-guard A local MCP server that keeps API keys off Claude's servers. ## Why This Exists When Claude reads a file containing an API key, the raw key content gets sent to Claude's servers. key-guard prevents this by acting as a local middleman — Claude calls a tool, the tool reads the key and makes the API call locally, and only the result is returned to Claude. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 11:52 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (acts as a local MCP to avoid sending raw keys to Claude) but has several implementation and scope issues that could lead to accidental key leakage or misuse (arbitrary URL calls with keys, writing keys into arbitrary files, partial key exposure, and masking gaps).
Guidance: This skill implements a reasonable local-proxy approach to keep raw key values out of Claude, but several real risks remain: - call_api will send the actual key to any URL you (or the agent) specify. Only let the MCP call trusted endpoints; otherwise a malicious prompt could exfiltrate keys. - write_file_with_keys will substitute real keys and write them to any file path. That can overwrite system files or persist secrets in unexpected places; restrict usage and review paths before writing. - read_file_masked replaces key occurrences only for values >= 8 characters. Short keys may not be masked and could be exposed if files are read improperly. - validate_key reveals key length and a 4-char preview, which is partial secret leakage; if this is unacceptable, remove or change that behavior. - list_keys may not show keys that exist only in process.env (it reads .env and KG_ prefixed shell vars), which can confuse users. Before installing: - Inspect and (if desired) modify key-guard.js to restrict allowed call_api hostnames, restrict write_file_with_keys to safe directories, and tighten masking/preview behavior. - Keep the MCP process running under an unprivileged user (do not run as root) and store .env in a controlled location. - Only install/run this skill from a trusted source and avoid letting untrusted prompts or agents invoke the MCP tools. If you want a safer default, require an allowlist of target hostnames and allowed file path prefixes and remove preview/length leakage in validate_key.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the included code: a local MCP server that reads local keys and performs requests so Claude never directly sees key values. Reading .env and shell profiles is necessary for the stated purpose. Minor inconsistency: list_keys/read_file_masked derive keys from .env and special-prefixed shell vars but getKey also checks process.env — list_keys may omit keys set only in process.env, which is confusing for users.
Instruction Scope: concernSKILL.md instructs Claude to never read key files and to call the MCP tools for key-related tasks, which is appropriate. However the MCP exposes tools that allow: (a) making authenticated requests to arbitrary URLs (call_api) which could be used to exfiltrate keys if an agent is malicious or a user instructs a call to an attacker-controlled endpoint; (b) writing files with real keys substituted (write_file_with_keys) to any path, which can overwrite arbitrary files; and (c) read_file_masked only masks keys of length >= 8 by simple string replacement—short keys are not masked and could be exposed. The SKILL.md claims 'NEVER read .env' is a rule for Claude, but the MCP server itself necessarily reads .env locally — that distinction is subtle and should be explicit in the doc.
Install Mechanism: okNo remote install or downloads; code is included in the bundle and registration is manual via MCP config. There is no external network fetch or extract-of-remote-archive during install, which reduces risk.
Credentials: concernThe server reads .env and several shell profile files and will substitute keys from them. That is proportionate to its goal, but there are some concerning behaviors: validate_key returns the key length and a 4-char prefix preview (partial secret leakage); read_file_masked only masks key strings >= 8 chars; write_file_with_keys will insert full secrets into arbitrary files; and call_api will attach full keys to requests to any supplied URL. These behaviors are powerful and should be constrained or limited to trusted endpoints and file paths.
Persistence & Privilege: okThe skill does not request always:true and doesn't modify other skills or system-wide settings. It runs as a user-space MCP process when registered — normal for this use case.