SnapPwd Secure Secret Sharing
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent for one-time secret sharing, but it intentionally handles credentials through an external SnapPwd service and optional CLI, so use it only with trusted recipients.
This skill appears consistent with its stated purpose. Before installing or using it, make sure you trust SnapPwd and any optional CLI package, share links only with verified recipients, avoid sharing long-lived private keys when possible, and rotate or revoke credentials after they have been shared.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who receives and opens a valid link may gain access represented by that secret, such as an account token or SSH key.
The skill is explicitly designed to share credentials and keys that may grant access to systems or third-party accounts. This is core to the purpose, but high-impact.
| **Private Keys** | SSH keys, TLS certificates, PGP keys | Temporary key distribution | ... | **Credentials Files** | `credentials.json`, `.netrc` | Service account access |
Only share least-privilege, temporary, or revocable credentials; verify the recipient; and rotate or revoke secrets after use when practical.
If a user installs the CLI, they are trusting that external package to encrypt and upload sensitive material correctly.
The optional CLI workflow installs an unpinned global npm package that will process secrets. The artifacts do not show automatic installation, but provenance matters for secret-handling tools.
npm install -g @snappwd/cli
Verify the package, publisher, and repository before installing the CLI, and prefer the web workflow if you do not need terminal integration.
Anyone with access to the chat, email, or agent transcript containing the link can potentially consume the secret once before the intended recipient.
The shared link contains the material needed to decrypt the secret, making the link itself a bearer credential until it is viewed or expires.
The CLI outputs the full secure link including the encryption key in the URL fragment: https://snappwd.io/g/<uuid>#<base58-encoded-key>
Send links only through channels appropriate for bearer secrets, confirm the intended recipient, and create separate links for multiple recipients.