Confidant
ReviewAudited by ClawScan on May 10, 2026.
Overview
Confidant is aligned with its secret-handoff purpose, but it handles very sensitive credentials through unpinned npm tools, public tunnel options, and a mode that can expose secrets in agent output.
Install only if you trust the @aiconnect/confidant and localtunnel npm packages. Prefer pinned/manual installs, avoid stdout mode for secrets, use local access or a trusted tunnel when possible, verify the URL before sharing it, provide scoped/revocable credentials, and stop any tmux/server/tunnel processes after the handoff.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may receive or save API keys, passwords, or tokens that can access your accounts or services.
The skill is explicitly meant to collect and store credentials. That is purpose-aligned, but it gives the agent access to high-impact secrets.
Use when you need sensitive information from the user (API keys, passwords, tokens) or need to save credentials to config files.
Use narrowly scoped, revocable credentials; confirm exactly where each secret will be saved; rotate any secret if it may have been exposed.
A changed or compromised npm package could run code on the user’s machine and handle submitted credentials.
If the expected binaries are absent, the helper auto-downloads and runs unpinned npm packages. The external Confidant CLI is not included in the reviewed files but performs the polling and saving of secrets.
npx --yes @aiconnect/confidant "$@" ... npx --yes localtunnel --port "$PORT"
Prefer reviewed and pinned package versions, install manually from a trusted source, and avoid automatic npx execution for credential-handling code.
On a shared or compromised machine, a different local service could potentially receive the request flow or direct the user to an unexpected credential form.
The script trusts an already-running localhost service that answers the health check before creating the credential request. In a secret-submission workflow, the identity of the local server and any tunnel endpoint matters.
if server_running; then
: # Server already running
else
...
REQUEST_OUTPUT=$(curl -sf -X POST "http://localhost:${PORT}/requests"Use a fresh, verified Confidant server instance; avoid reusing unknown localhost services or tunnels; verify the URL and port before sharing it with the user.
A user may believe the secret cannot enter history or logs, while a documented mode can expose the secret to the agent’s command output.
The broad privacy claim is weakened by the documented stdout mode. In agent runtimes, stdout may be captured in transcripts, logs, or model context.
no chat exposure, no copy-paste, no history leaks ... Without `--service` or `--save`, the script still polls and prints the secret to stdout
Use `--service` or `--save` instead of stdout mode, redact tool outputs, and update the documentation to clearly warn that stdout is not history-free.
A background Confidant server or tmux session may remain running after the secret handoff if the user or agent does not stop it.
The documented workflow intentionally starts a long-running background server/session. This is disclosed and supports human-in-the-loop secret submission, but it can persist beyond the immediate task.
Always run Confidant inside a tmux session ... tmux new-session -d -s confidant ... confidant serve --port 3000
Stop the tmux session/server after use and remove any tunnel or temporary files that are no longer needed.