Confidant
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: confidant Version: 1.5.3 This skill is classified as suspicious due to several high-risk capabilities and potential vulnerabilities, despite its stated purpose of secure secret handling. Key indicators include the use of `npm install -g` and `npx --yes` for external packages (`@aiconnect/confidant`, `localtunnel`) in `scripts/setup.sh` and `scripts/request-secret.sh`, posing a supply chain risk. The `--tunnel` option in `scripts/request-secret.sh` exposes a local service to the public internet via `localtunnel`, significantly increasing the attack surface. Furthermore, the `--save <path>` and `--env <varname>` options in `scripts/request-secret.sh` allow writing secrets to arbitrary file paths or setting arbitrary environment variables, which could be exploited via prompt injection against the agent to write to sensitive locations or overwrite critical environment variables, even though these are presented as features.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may receive or save API keys, passwords, or tokens that can access your accounts or services.
The skill is explicitly meant to collect and store credentials. That is purpose-aligned, but it gives the agent access to high-impact secrets.
Use when you need sensitive information from the user (API keys, passwords, tokens) or need to save credentials to config files.
Use narrowly scoped, revocable credentials; confirm exactly where each secret will be saved; rotate any secret if it may have been exposed.
A changed or compromised npm package could run code on the user’s machine and handle submitted credentials.
If the expected binaries are absent, the helper auto-downloads and runs unpinned npm packages. The external Confidant CLI is not included in the reviewed files but performs the polling and saving of secrets.
npx --yes @aiconnect/confidant "$@" ... npx --yes localtunnel --port "$PORT"
Prefer reviewed and pinned package versions, install manually from a trusted source, and avoid automatic npx execution for credential-handling code.
On a shared or compromised machine, a different local service could potentially receive the request flow or direct the user to an unexpected credential form.
The script trusts an already-running localhost service that answers the health check before creating the credential request. In a secret-submission workflow, the identity of the local server and any tunnel endpoint matters.
if server_running; then
: # Server already running
else
...
REQUEST_OUTPUT=$(curl -sf -X POST "http://localhost:${PORT}/requests"Use a fresh, verified Confidant server instance; avoid reusing unknown localhost services or tunnels; verify the URL and port before sharing it with the user.
A user may believe the secret cannot enter history or logs, while a documented mode can expose the secret to the agent’s command output.
The broad privacy claim is weakened by the documented stdout mode. In agent runtimes, stdout may be captured in transcripts, logs, or model context.
no chat exposure, no copy-paste, no history leaks ... Without `--service` or `--save`, the script still polls and prints the secret to stdout
Use `--service` or `--save` instead of stdout mode, redact tool outputs, and update the documentation to clearly warn that stdout is not history-free.
A background Confidant server or tmux session may remain running after the secret handoff if the user or agent does not stop it.
The documented workflow intentionally starts a long-running background server/session. This is disclosed and supports human-in-the-loop secret submission, but it can persist beyond the immediate task.
Always run Confidant inside a tmux session ... tmux new-session -d -s confidant ... confidant serve --port 3000
Stop the tmux session/server after use and remove any tunnel or temporary files that are no longer needed.