ClawHub

Password Manager

Security checks across malware telemetry and agentic risk

Overview

This is a local password manager with no exfiltration found, but it exposes and handles very sensitive secrets with several weak or inconsistent safeguards.

Install only if you are comfortable with a local experimental password vault. Avoid putting real master passwords in environment variables or command-line arguments, lock the vault after use, treat revealed/generated secrets as potentially stored in chat history, and review the cache timeout and plaintext reveal defaults before storing important credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation is internally inconsistent about whether master password changes are supported. In a password manager, conflicting guidance around credential-rotation workflows can cause users or agents to take unsafe actions such as reinitializing the vault, mishandling secrets during migration, or assuming a password was changed when it was not. The security-sensitive context makes documentation accuracy especially important.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The schema/description says deletion requires the user to re-enter the master password, but the implementation only accepts a boolean `confirmed` flag before deleting once the vault is unlocked. In an agent setting, that mismatch weakens protection for destructive actions because any caller that can invoke the tool can set `confirmed: true` and delete entries without fresh user re-authentication.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The help text claims support for a command-line master password option even though the code elsewhere says such parameters are no longer supported. In a password manager context, documenting insecure secret-passing patterns is dangerous because users may place credentials on the command line, where they can be exposed via shell history, process listings, audit logs, or CI job output.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill advertises restore functionality without clearly warning that restore may overwrite the current vault or cause irreversible data loss. For a password manager, users may invoke restore assuming it is non-destructive, leading to loss of stored credentials, rollback to stale secrets, or accidental replacement of the active vault with compromised or outdated backups.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation includes a retrieval example with `showPassword: true`, which normalizes secret disclosure without any caution, masking guidance, or explicit requirement for strong user intent. In a password-manager skill, examples strongly influence downstream agent behavior, so this can increase the chance that secrets are revealed into chat logs, UI history, or other unintended sinks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`password_manager_get` defaults `showPassword` to `true`, so plaintext secrets are disclosed unless the caller explicitly opts out. In an LLM/agent integration, permissive defaults increase the chance of accidental exposure in tool outputs, logs, UI transcripts, or downstream model context.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The password generation tool returns the generated password in plaintext. While that is often functionally necessary, it still creates secret-exposure risk in this agent context because the value may appear in chat history, telemetry, screenshots, or logs without an explicit disclosure warning.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Reading the master password from an environment variable creates a real secret-handling risk because environment variables are often inherited by child processes, captured in debugging output, exposed in CI/CD logs, or readable by local administrators and monitoring tools. In a password manager, the master password is the root secret, so encouraging this path without prominent warnings increases the likelihood of catastrophic credential compromise.

Missing User Warnings

High
Confidence
97% confidence
Finding
The non-TTY fallback uses visible input for the master password without warning the user that the secret may be echoed, recorded by terminal logging, piped through tooling, or stored in transcripts. Because this is the master password for the vault, accidental exposure here can fully compromise all stored secrets, making the issue especially serious in this skill's context.

Missing User Warnings

High
Confidence
99% confidence
Finding
The change-password command accepts both old and new master passwords as CLI arguments, which is a well-known secret exposure vector because command-line arguments are frequently visible via process lists, shell history, telemetry, job runners, and support bundles. In a local password manager, exposing either the old or new master password can enable vault compromise immediately or after the password rotation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code stores decrypted vault key material in a local cache file (`key.enc`) for up to 48 hours, protected only by a key derived from the master password. This materially weakens the security model of a password manager: an attacker who obtains the master password later, or can brute-force it offline against the cache file, can recover the vault key without needing interactive unlock, and persistent key caching increases exposure from disk theft, malware, backups, and multi-user systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal