ClawHub

Secret Manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to manage OpenClaw API keys, but it handles secrets and controls services in ways users should review carefully before installing.

Install only if you are comfortable with a skill that can change OpenClaw credential configuration, store API keys, import environment variables, and restart or kill gateway processes. Prefer interactive or keyring-based entry, avoid putting secrets in shell history or plaintext .env files, and review any SECRETS_ENV_FILE contents because this artifact indicates it may be executed as shell code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill metadata describes an installable script and the documented behavior includes injecting secrets into configuration, which implies file modification capability without any declared permissions boundary. In an agent ecosystem, undeclared write access reduces transparency and can mislead users or policy enforcement about what the skill is allowed to change.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose suggests secure key management, but the actual behavior extends into process control, sourcing an external env file, modifying service environment, and restarting services/containers. That mismatch is dangerous because users may grant trust expecting only secret storage while the skill also performs broader system actions that can expose secrets, disrupt services, or execute unintended configuration from disk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script's stated purpose is secret storage, but this block also executes an external file via `source` and forcibly stops/kills gateway processes, expanding the trust boundary well beyond secret management. If `SECRETS_ENV_FILE` or the default secrets file is modified by an attacker, arbitrary shell commands run in the user's context before the restart sequence, and the restart logic can be abused for disruption.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`source "$SECRETS_FILE"` executes the contents of an arbitrary file as shell code, not merely environment assignments. Because the path is configurable via `SECRETS_ENV_FILE`, any attacker who can influence that file or environment variable can achieve arbitrary command execution in the user's session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing secrets directly on the command line can expose them to shell history, process listings, audit logs, and terminal scrollback. Since the skill then injects those values into config or service environment, the documentation's omission of this risk can lead users to unintentionally leak credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sourcing an external env file without an explicit warning is dangerous because operators may reasonably assume the file is treated as passive configuration, when in reality it is executable shell input. This increases the chance of accidental or malicious code execution through a file meant to hold secrets.

Credential Access

High
Category
Privilege Escalation
Content
| :--- | :--- | :--- |
| `OPENCLAW_CONTAINER` | Name of the Distrobox container | `clawdbot` |
| `OPENCLAW_HOME` | Path to OpenClaw config directory | `~/.openclaw` |
| `SECRETS_ENV_FILE` | Path to an optional .env file to source | `~/.config/openclaw/secrets.env` |

## Usage
Confidence
84% confidence
Finding
secrets.env

Credential Access

High
Category
Privilege Escalation
Content
| :--- | :--- | :--- |
| `OPENCLAW_CONTAINER` | Name of the Distrobox container | `clawdbot` |
| `OPENCLAW_HOME` | Path to OpenClaw config directory | `~/.openclaw` |
| `SECRETS_ENV_FILE` | Path to an optional .env file to source | `~/.config/openclaw/secrets.env` |

## Usage
Confidence
84% confidence
Finding
.env

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal