Skillv1.1.0

ClawScan security

Keychain Bridge Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 5:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (migrate plaintext secrets into macOS Keychain), but there are internal inconsistencies and risky design choices you should understand before installing (notably the deliberate creation of plaintext files for bash compatibility and running/injecting across multiple Python binaries).
Guidance: What to consider before installing: - This skill does migrate secrets into macOS Keychain locally and includes readable scripts, but it deliberately supports a "Group B" pattern that writes plaintext secret files to disk at boot so bash tools can use them. That directly contradicts the "eliminate plaintext storage" wording — expect plaintext files if you enable the file bridge. - The migration tool runs multiple local Python binaries to inject keychain items (to work around per-binary ACLs). If you have untrusted Python interpreters on your machine (pyenv installs, non-system binaries), those binaries will be executed by the migration process — review your Python installations first. - Adding populate_secrets.sh to a startup/LaunchAgent will create plaintext files (chmod 600) at boot. While permissions help, any process running as your user (or with sufficient privileges) can read them. Prefer avoiding Group B when possible; instead make consumers use keychain APIs or the Python helper. - The codebase is included and readable. Review the scripts yourself, run them in a safe test account/machine first, and back up your original secrets. If you proceed: 1) audit your Python binaries, 2) install keyring only for the Pythons you trust, 3) test a dry-run migration, and 4) avoid installing the boot-time file bridge unless you accept the plaintext-file tradeoff. If you want, I can point out the exact lines where plaintext files are written and the places that execute detected Python binaries, or produce a checklist for a safe dry-run migration.
Findings: [pre-scan-injection-signals-none] expected: Static scan found no injection signals. That's consistent with the included plain Python and bash scripts, but absence of findings is not a guarantee of safety; the code intentionally manipulates secrets and launches local interpreters.

Review Dimensions

Purpose & Capability: noteName/description match the included scripts: migrate, audit, helper, CLI, and populate script. Requested binaries (bash, python3) are appropriate. However the README and description claim to "eliminate plaintext credential storage" while the skill deliberately provides a Group B file-bridge that writes plaintext files to disk — this contradicts the stated goal and is a meaningful design trade-off that should be highlighted.
Instruction Scope: concernSKILL.md instructs the agent to scan a user secrets directory, read plaintext secret files, inject them into the keychain, and (optionally) delete the originals. It also instructs adding a boot-time script (populate_secrets.sh) that reads secrets from keychain and writes chmod 600 files to disk for bash consumers. These instructions intentionally create plaintext secret files on disk and tell the agent to enumerate Python binaries and run them; that scope is broader than a pure 'remove plaintext' promise and increases exposure.
Install Mechanism: okInstruction-only skill (no remote downloads). All code is included and readable. The only install step suggested is pip install keyring (standard public package). No network downloads or obscure install URLs are used.
Credentials: noteThe skill requests no environment variables or external credentials. It will, however, read files from a user-specified directory (default ~/.openclaw/secrets/) and will execute multiple local Python binaries discovered on the host. Executing all detected Python interpreters is explained by keychain ACL behavior but increases the attack surface if a non-trusted Python binary exists on the system.
Persistence & Privilege: concernThe skill recommends installing a boot-time/populate script (LaunchAgent or startup) that writes plaintext secret files at boot. That gives persistent on-disk exposure of secrets to any process able to read user files. The skill itself is not always:true, but adding the LaunchAgent is an explicit instruction that increases persistence and blast radius.