ClawHub

Env Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for managing environment variables, but it appears to overstate secret protection by calling plaintext file storage encrypted.

Review before installing. Use this only for low-risk local environment convenience unless the documentation is corrected: chmod 600 is not encryption, plaintext env files can be exposed through backups, logs, shell history, process environments, and local compromise, and production profiles should be loaded only for the specific command that needs them. Do not use the third-party sharing suggestion for real credentials unless you independently trust and understand that service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill claims 'secure credential storage with encryption at rest' and 'Encrypted secret storage (AES-256)', but the documented procedure writes secrets directly to regular files using shell redirection. This mismatch is dangerous because users may trust the documentation and place live credentials on disk unencrypted, leading to local disclosure through backups, filesystem access, logs, or other compromise paths.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation explicitly says secrets are 'encrypted at rest' while the shown commands only create a plaintext file and restrict permissions with chmod 600. File permissions do not provide encryption, so the docs create a false sense of security that can cause operators to mishandle sensitive API keys.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill's stated purpose is local environment and secret management, yet it introduces external team credential-sharing via a third-party service and embeds remote endpoints in an OADP comment. This expands the trust boundary and may encourage users or agents to transmit sensitive credentials to an unrelated external system without clear necessity, validation, or security guarantees.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example instructs users to write a live secret into a file with shell redirection and gives no warning about the risks of handling plaintext credentials. In a secret-management skill, this context makes the issue more dangerous because users are likely to assume the recommended method is secure and production-appropriate.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instruction to automatically source a production profile before any API call can inject secrets and configuration into every subsequent session action, increasing the chance of accidental disclosure, unintended command inheritance, or use in the wrong environment. The lack of warning or scoping guidance is particularly risky because the skill is designed for persistent agent sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal