ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Confidant

v1.5.3

Secure secret handoff and credential setup wizard for AI agents. Use when you need sensitive information from the user (API keys, passwords, tokens) or need...

1· 2.3k·5 current·5 all-time
byEric Santos@ericsantos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (secure secret handoff) aligns with what the scripts do (create a temporary web form, poll for submission, save secrets). However the skill delegates core behavior to an external CLI package (@aiconnect/confidant) that is not included in the repo; that external dependency is necessary but not shipped, so the skill's claimed capability depends on third-party code.
!
Instruction Scope
SKILL.md explicitly instructs agents to produce and share a human-facing URL and to run long-lived processes (tmux, server, polling). That scope is appropriate for the stated goal, but it requires the agent/human to share the URL in chat (which can create leakage if chat logs are stored) and to run long-running processes outside normal agent timeouts. The scripts themselves do not read unrelated secrets, but they rely on an external CLI to perform the actual polling and saving — that external CLI's behavior is not visible here.
!
Install Mechanism
There is no packaged install spec in the registry, but the scripts use npx --yes and setup.sh uses npm install -g to fetch @aiconnect/confidant and localtunnel from the public npm registry. This performs network downloads and global installs on the host (writes system-wide npm packages). The skill's own files do not include the server/CLI implementation, so runtime behavior depends on code downloaded from npm — increasing trust requirements.
Credentials
The registry metadata declares only curl, jq, and npm as required binaries, but the scripts also invoke utilities like lsof, fuser, pgrep, tmux, and optionally the lt binary — these are not listed. The skill does not request arbitrary environment credentials itself, but it will save received secrets to disk (e.g., ~/.config/<service>/api_key) or set env vars if asked. That storage behavior is central to the skill but is ultimately implemented by the external CLI.
Persistence & Privilege
The skill does not request always: true and is user-invocable. setup.sh installs npm packages globally (system-wide), which requires privileges and modifies the host environment. The skill starts background servers and can start a public tunnel (localtunnel), exposing a local port to the internet — expected for its function but higher-privilege and higher-risk than a pure in-memory helper.
What to consider before installing
This skill appears to implement what it claims, but exercise caution before installing or running it: - The scripts delegate the real server/secret-storage logic to an external npm package (@aiconnect/confidant) which will be downloaded/installed by npx or npm. Inspect that package's source (npm page and linked GitHub repo) before running any install commands. - setup.sh performs global npm installs. Prefer running tools in an isolated environment (container, VM) or avoid global install; consider using npx without --yes or auditing the package first. - The tool can start a public tunnel (localtunnel/ngrok). If you use --tunnel you expose a local server to the internet — only do this when you fully trust the code and the environment, and avoid sending high-value secrets over an unfamiliar tunnel provider. - SKILL.md instructs you to paste the generated URL into chat so the human can submit secrets. Remember chat logs and platform telemetry may retain that URL; treat it as sensitive and be aware of audit/logging implications. - The metadata omits several binaries the scripts call (lsof, fuser, pgrep, tmux, lt). Ensure required utilities are present before use, and audit the scripts for unexpected behavior. If you want to proceed safely: review the @aiconnect/confidant package source and npm version 1.5.3, run the tooling in an isolated sandbox, avoid global installs, and avoid using --tunnel unless necessary.

Like a lobster shell, security has layers — review code before you run it.

latestvk979ybh0kfr5d2hm8vc7cjyjfn81j2sr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binscurl, jq, npm

Comments