ClawHub

OpenClaw Key Management

Security checks across malware telemetry and agentic risk

Overview

This credential-management skill has a legitimate purpose, but it handles and modifies sensitive secrets in ways users should review before installing.

Review carefully before installing. Do not use it with real credentials unless the package is fixed to avoid temporary plaintext scripts, use the included vault module, remove hard-coded workspace paths, ask before reading or modifying MEMORY.md, and accurately implement or document passphrase mode, memory locking, and secret cleanup limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The manifest enables system command execution even though the stated purpose is secure credential storage and encryption. That capability materially expands the attack surface: a compromised or overly permissive skill could invoke shell commands to read, copy, or exfiltrate credentials from memory or workspace files, which is especially risky in a credential-management context.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The migration flow directly reads and rewrites MEMORY.md, which undermines the stated security goal of protecting credentials from memory-file compromise. Modifying a general workspace memory file that may contain other sensitive or operational content can expose secrets during processing and create integrity risks if the replacement logic is incomplete or incorrect.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script includes logic to search workspace content for API-key-like material, which expands its access beyond what is necessary for a key storage tool. Even though the current grep targets MEMORY.md and a specific prefix, this behavior increases the chance of unintended credential discovery, collection, and handling from files not meant to be processed by the tool.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The tool advertises itself as a secure 'Fixed Version' key manager, yet it writes plaintext secrets into temporary Node.js scripts via heredocs before execution. That exposes credentials on disk, potentially to other local users, forensic recovery, backup systems, or crashes that prevent cleanup, directly contradicting the intended protection model.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The vault explicitly decrypts secrets and stores them as plaintext JavaScript strings in an in-memory cache for up to 30 seconds, which directly conflicts with the stated goal of protecting credentials from memory compromise. In Node.js, strings are immutable and cannot be reliably scrubbed, so any memory disclosure, crash dump, heap snapshot, or debugging access during that window can recover the secret.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The cleanup logic gives a false impression of secure erasure: when passed a string, it creates a new Buffer and zeroes that Buffer, but the original decrypted string in V8-managed memory remains untouched. This can mislead users into believing cached secrets are erased when they may still persist in memory after cache eviction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The test plan instructs operators to delete the current vault and corrupt files as part of backup/restore and error-handling tests, but it does not include explicit warnings, isolation requirements, or safeguards against running these steps on real credential stores. In a key-management skill, destructive test steps are more dangerous than usual because they target sensitive encrypted data and could cause irreversible credential loss or service disruption if executed in a non-test environment.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation contexts are broad enough that the skill may trigger whenever users discuss API keys, credential security, or sensitive memory content, even when they did not intend to invoke this specific skill. In a skill with access to memory files, workspace files, and system commands, unintended activation increases the chance of unnecessary exposure or processing of secrets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The migration command silently extracts a credential from MEMORY.md and rewrites that file without explicit confirmation, preview, or warning. For a tool handling secrets, making destructive changes to a user workspace file without consent can lead to accidental data loss, broken references, and unreviewed movement of sensitive material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The get command prints the secret value directly to stdout with no warning or safeguards. In practice, stdout may be captured by shell history tools, terminal logs, calling programs, CI systems, or other observers, causing the secret to leak immediately after retrieval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal