ClawHub

Keychain Bridge Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is local and purpose-aligned, but it handles high-value secrets and includes under-scoped workflows that can recreate plaintext credentials on disk.

Review before installing. Use it only on macOS accounts where you are comfortable giving the agent access to Keychain and ~/.openclaw/secrets. Run migrations with --dry-run first, avoid broad read/get-secret requests, review the hard-coded Group B service list, and avoid populate_secrets.sh unless those bash tools truly require plaintext files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        with open(val_path, 'w') as vf:
            vf.write(value)
        result = subprocess.run(
            [python_path, script_path],
            capture_output=True, text=True, timeout=30
        )
Confidence
91% confidence
Finding
result = subprocess.run( [python_path, script_path], capture_output=True, text=True, timeout=30 )

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The helper advertises Keychain-backed secret handling but silently falls back to reading plaintext files from ~/.openclaw/secrets when keyring access fails. This weakens the security boundary users would reasonably expect, can reintroduce plaintext secret exposure on disk, and masks configuration or permission failures that should be surfaced explicitly.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README advertises very broad natural-language trigger phrases such as "Migrate my secrets to keychain" and "Audit my secrets directory for plaintext leaks" without any stated confirmation, scope limits, or safety checks. In a secrets-management skill, broad activation increases the chance an agent will perform credential-moving or filesystem-scanning actions automatically from casual user text, which can lead to unintended secret exposure or destructive migration steps.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The top-level description says to use the skill for broad topics like 'credentials', 'API keys', and generic 'security hardening on macOS,' which can cause the agent to invoke it for loosely related requests. For a skill that can read/write secrets and create bridge files, over-broad routing increases the chance of unintended secret access or modification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Several trigger phrases are generic, including 'move secrets', 'audit secrets', 'read secret', 'get API key', and 'store secret'. In context, these phrases can capture ordinary support requests and route them into a skill capable of credential retrieval and persistence, creating an unnecessary exposure path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script retrieves a secret and writes it directly to stdout, which can expose sensitive data through shell history, terminal scrollback, logging pipelines, parent process capture, or accidental redirection to files. In this skill's context, the tool is explicitly designed to bridge secrets into bash workflows, which increases the chance that secrets are propagated into less controlled environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Secret retrieval and the fallback to file-based secrets occur without any warning, logging, or disclosure to the caller. This can cause operators to believe secrets are protected in Keychain when they are actually being read from disk, delaying detection of insecure storage and troubleshooting of broken Keychain access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script retrieves secrets from the macOS Keychain and writes them into plaintext files on disk, increasing exposure compared with keeping them only in the Keychain. Even with mode 600, secrets may be read by the owning user, copied by backups, leaked through later misconfiguration, or left behind longer than intended, and the script gives no explicit warning or consent prompt before materializing them.

Credential Access

High
Category
Privilege Escalation
Content
- **Auto-detection** of all Python versions on the system with full ACL coverage
- **Group A/B architecture** for mixed Python/bash environments
- **Plaintext leak auditor** that catches forgotten secret files
- **Diagnostic tools** for every known Tahoe keychain failure mode
- **Boot-time file bridge** for bash scripts that can't use keychain directly

## What You Get
Confidence
87% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
- **Group A/B architecture** for mixed Python/bash environments
- **Plaintext leak auditor** that catches forgotten secret files
- **Diagnostic tools** for every known Tahoe keychain failure mode
- **Boot-time file bridge** for bash scripts that can't use keychain directly

## What You Get
Confidence
87% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
| `SKILL.md` | Full agent instructions — your OpenClaw agent knows how to use everything |
| `scripts/migrate_secrets.py` | Batch migration with multi-Python ACL injection and verification |
| `scripts/audit_secrets.py` | Continuous plaintext leak detection and keychain health checks |
| `scripts/keychain_helper.py` | Drop-in Python module — replaces file reads with keychain lookups |
| `scripts/populate_secrets.sh` | Boot-time bridge that populates files from keychain for bash tools |
| `scripts/get_secret.py` | CLI wrapper for interactive/terminal use |
Confidence
88% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
| `SKILL.md` | Full agent instructions — your OpenClaw agent knows how to use everything |
| `scripts/migrate_secrets.py` | Batch migration with multi-Python ACL injection and verification |
| `scripts/audit_secrets.py` | Continuous plaintext leak detection and keychain health checks |
| `scripts/keychain_helper.py` | Drop-in Python module — replaces file reads with keychain lookups |
| `scripts/populate_secrets.sh` | Boot-time bridge that populates files from keychain for bash tools |
| `scripts/get_secret.py` | CLI wrapper for interactive/terminal use |
Confidence
88% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
2. **Per-binary Keychain ACL** — each Python binary needs its own ACL entry;
   migration tool handles this automatically
3. **Group A/B secret architecture** — a practical pattern for mixed Python/bash
   environments where Group A uses keychain directly and Group B uses boot-time
   file bridges
4. **Security CLI regression on Tahoe** — `security find-generic-password -w`
   hangs even after `security unlock-keychain` with the correct password
Confidence
86% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
After installing the skill, just tell your OpenClaw agent:

> "Migrate my secrets to keychain"

or
Confidence
91% confidence
Finding
keychain

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal