Vault Client

Security checks across malware telemetry and agentic risk

Overview

This Vault helper is mostly purpose-aligned, but it stores Vault tokens and cached secrets in plaintext and modifies persistent agent instructions without enough user control.

Review before installing. Use only a least-privileged, short-lived Vault token; protect or remove ~/.openclaw/vault.json and ~/.openclaw/vault-cache.json; inspect any AGENTS.md block added by setup; avoid tls.verify:false except in controlled environments; and be careful with put because it can change Vault secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The skill description understates several sensitive behaviors: persisting retrieved secrets to disk, listing secret paths, and modifying AGENTS.md for startup persistence. These behaviors increase exposure and persistence of sensitive data; when not clearly disclosed, users may invoke the skill without understanding that secrets will be retained locally or that session startup files will be modified.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The setup flow writes a Vault-related block into a workspace AGENTS.md file, which is outside the core scope of secret retrieval and management. Modifying shared workspace documentation creates an unexpected persistence and influence channel: it can change later agent behavior, spread operational instructions, and normalize fallback handling for secrets beyond the immediate local setup action.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup instructions say the Vault token is saved to ~/.openclaw/vault.json but do not warn that this file contains highly sensitive long-lived credentials. If file permissions are weak, the host is shared, backups are exposed, or the workstation is compromised, an attacker could reuse the token to access Vault secrets directly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Caching secrets in ~/.openclaw/vault-cache.json creates an additional plaintext copy of sensitive material on disk, increasing the attack surface beyond Vault itself. Even with a short TTL, secrets may be exposed through local compromise, backups, forensic recovery, or accidental inclusion in logs and support bundles.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation instructs users to store a Vault token in `~/.openclaw/vault.json` without any warning about the token's sensitivity, file permissions, or safer storage options. Because Vault tokens are bearer credentials that can grant direct access to secrets, local plaintext storage increases the risk of credential theft from a compromised workstation, backups, or overly permissive filesystem settings.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The setup wizard collects a Vault token and persists it to ~/.openclaw/vault.json without any clear warning about disk storage, lifetime, or filesystem permissions. A long-lived Vault token is highly sensitive; silent persistence increases the risk of credential theft from local compromise, backups, logs, or multi-user systems.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Secret material read from Vault is cached to disk in ~/.openclaw/vault-cache.json with no user warning, opt-in, encryption, or permission hardening. This undermines Vault's security model by creating a second plaintext secret store on the endpoint, making compromise of the local machine sufficient to recover secrets even after Vault access should have expired.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: vault-client description: Hashicorp Vault client for OpenClaw agents. Read and write secrets from a Vault server without raw curl commands or hardcoded tokens. Use when reading API keys, DB credentials, or any secret stored in Hashicorp Vault; checking token expiry; rotating secrets; or configuring Vault access for the first time. NOT for the zuiho-kai local Vault skill (that is a different, local-only tool). --- # vault-client
Confidence: 74% confidence
Finding: write secrets from a Vault server without raw curl commands or hardcoded tokens. Use when reading API keys, DB credentials, or any secret stored in Hashicorp Vault; checking token expiry; rotating sec

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal