ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dashlane

v1.0.0

Access passwords, secure notes, secrets and OTP codes from Dashlane vault.

1· 2k·0 current·0 all-time
by@gnarco
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to provide Dashlane CLI access but the registry metadata lists no required binaries or environment variables. The SKILL.md explicitly requires the 'dcli' binary (and gives a brew install) and refers to the DASHLANE_MASTER_PASSWORD environment variable and local keychain storage. The manifest should declare these requirements; their absence is an incoherence between claimed purpose and declared requirements.
!
Instruction Scope
The instructions tell the agent to run dcli commands (sync, p, note, backup, logout, configure, exec, inject, read dl://) and to perform actions that persist secrets (backup to current directory, save master password to keychain or env, disable user-presence checks). These operations go beyond read-only display: they can write vault backups to disk, place the master password in environment variables, and configure the CLI to persist secrets — all of which increase exposure. The SKILL.md also instructs injecting secrets into processes/files which widens the risk surface.
Install Mechanism
There is no install spec in the skill bundle (instruction-only). The SKILL.md recommends installing via Homebrew (brew install dashlane/tap/dashlane-cli). That is a commonly used mechanism, but because the skill metadata did not declare 'dcli' as a required binary, the manifest and instructions are inconsistent.
!
Credentials
The manifest declares no required environment variables or primary credential, yet the instructions rely on DASHLANE_MASTER_PASSWORD (and describe saving it to the OS keychain or env vars). The skill also exposes commands that inject secrets into other processes or files. Requesting no credentials in metadata while instructing the use/persistence of a master password is disproportionate and misleading.
!
Persistence & Privilege
The skill does not request always:true and does not autonomously elevate itself, which is good. However the instructions encourage persistent changes to the host (saving master password in keychain or env, disabling user-presence checks, creating backups in directories such as the current working directory or ~/.local/share/dcli/). Those persistent behaviors increase risk if executed without careful review.
What to consider before installing
This skill appears to be an instruction-only wrapper for the official Dashlane CLI, but the registry metadata is incomplete and the instructions include risky, persistent operations. Before installing or using: (1) confirm you trust the skill owner and the brew formula at the official Dashlane CLI site (https://cli.dashlane.com); (2) do not export your master password into environment variables or enable 'save-master-password' unless you understand the system-wide consequences; (3) avoid running backup or 'dcli configure' commands that persist secrets unless you intend to create local copies; (4) prefer using ephemeral console output or direct clipboard copies rather than injecting secrets into processes/files; (5) ask the skill maintainer to update the manifest to declare the required binary ('dcli') and any environment variables so the metadata matches the runtime instructions. If you lack confidence, test in an isolated environment or decline installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97372wrbpzpvmxk1sr11q5wd17yt5vb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binsdcli

Comments