ClawHub

Headless Bitwarden

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for remote Bitwarden unlocking, but it handles a vault password through a publicly exposed helper with weak scoping and transport assumptions.

Review carefully before installing. This may be useful only if you explicitly need remote rbw/Bitwarden unlocking, but you should avoid default public tunneling, require localhost or verified TLS, use one-time approvals, and treat any printed unlock URL as a secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to execute shell commands and launch a local/web-accessible unlock helper, but it declares no corresponding permissions. Undeclared shell capability weakens review and enforcement boundaries, making it easier for a privileged workflow that handles secrets to be invoked without clear operator awareness.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The helper is described as an HTTPS-based remote unlock endpoint, but it actually creates a plain HTTP server with `http.createServer`. That means the Bitwarden master password and bearer-style URL token can traverse the network unencrypted unless an external TLS tunnel is correctly and consistently used, which is especially dangerous given this skill’s explicit purpose of collecting vault-unlock credentials remotely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script is a custom non-interactive pinentry replacement that retrieves a Bitwarden unlock password from an environment variable or FIFO and returns it directly to the caller, with no user-facing confirmation, origin validation, or consent step. In the context of a remote unlock helper, that means any process able to invoke this pinentry in the relevant session can potentially obtain the secret automatically, increasing the risk of unintended credential disclosure if the helper is misrouted, reused, or accessed by an attacker on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script automatically starts a public TryCloudflare tunnel for a service that accepts a Bitwarden master password, exposing a sensitive unlock endpoint to the internet by default. Although the endpoint uses a random token path and a TTL, that is still weaker than explicit opt-in for internet exposure because the URL is printed locally, may be logged, and expands the attack surface from localhost-only to public HTTPS access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal