Back to skill

Security audit

Secret Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to manage OpenClaw API keys, but it handles secrets and restarts services in ways users should review carefully before installing.

Install only if you are comfortable with a tool that can change OpenClaw credential files, expose secrets to service environments, and restart or kill gateway processes. Prefer the interactive prompt or stdin over command-line secret arguments, avoid plaintext .env files, and inspect any SECRETS_ENV_FILE because this script executes it as shell code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes behavior that writes secrets into OpenClaw configuration, but the metadata does not declare corresponding permissions or clearly scope that file modification capability. Undeclared write behavior reduces auditability and informed consent, especially for a secret-handling skill that alters local auth configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond simple key storage and injection: it sources an external env file, propagates secrets into the systemd user environment, and manipulates gateway/container processes. That mismatch is dangerous because users may install it expecting low-risk secret storage while it also executes configuration from disk and performs service control actions that broaden the attack surface.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The list function retrieves each stored secret from GNOME Keyring and prints the first 8 characters plus total length. Even partial disclosure materially increases exposure by enabling token fingerprinting, correlation across systems, and reducing brute-force/search space for some credential formats. In a secret-management utility, adding a disclosure feature is more dangerous because operators may assume the tool never reveals secret material.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script executes `source "$SECRETS_FILE"`, which runs arbitrary shell code from a user-controllable path specified by `SECRETS_ENV_FILE` or a default file. This exceeds the stated purpose of managing secrets and creates a direct code-execution path in the user's context, potentially allowing malicious commands to run whenever the skill is used.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly documents injecting secrets into auth-profiles.json and exporting them into runtime environment state without warning that these actions may place secrets in plaintext on disk or in process/service environments. For a secret-management tool, omitting those warnings can cause users to downgrade confidentiality protections unintentionally.

Missing User Warnings

High
Confidence
98% confidence
Finding
The example encourages passing a secret directly as a command-line argument, which can leak through shell history, terminal logging, audit logs, and process listings visible to other local users. This is especially risky in multi-user systems or environments with command logging.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sourcing an external file without explicit warning or validation causes the script to execute its contents as shell code, which is unsafe behavior for a secret-management helper. Even if the file is intended to be configuration, users may not realize that arbitrary commands placed there will run under their account.

Credential Access

High
Category
Privilege Escalation
Content
| :--- | :--- | :--- |
| `OPENCLAW_CONTAINER` | Name of the Distrobox container | `clawdbot` |
| `OPENCLAW_HOME` | Path to OpenClaw config directory | `~/.openclaw` |
| `SECRETS_ENV_FILE` | Path to an optional .env file to source | `~/.config/openclaw/secrets.env` |

## Usage
Confidence
90% confidence
Finding
secrets.env

Credential Access

High
Category
Privilege Escalation
Content
| :--- | :--- | :--- |
| `OPENCLAW_CONTAINER` | Name of the Distrobox container | `clawdbot` |
| `OPENCLAW_HOME` | Path to OpenClaw config directory | `~/.openclaw` |
| `SECRETS_ENV_FILE` | Path to an optional .env file to source | `~/.config/openclaw/secrets.env` |

## Usage
Confidence
90% confidence
Finding
.env

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.