ClawHub

Vaultwarden Secrets

Security checks across malware telemetry and agentic risk

Overview

This Vaultwarden skill is mostly purpose-aligned, but it needs review because it can access or modify broader vault contents than some instructions imply.

Install only if you intend to let the agent read and modify Vaultwarden secrets. Configure your own trusted server, set VW_COLLECTION_ID explicitly for organization vaults, assume personal-vault mode can search the full vault, consider VW_CACHE_TTL=0, run vw-lock.sh when done, and require human approval for update, delete, and password rotation commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation states that read operations are collection-scoped, but elsewhere the skill explicitly says it falls back to unscoped full-vault queries when no collection is available. That mismatch can cause operators or downstream agents to retrieve secrets from the entire vault under the false assumption that access is restricted to a smaller collection.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The rules imply operations are safely scoped when possible, but the documented behavior permits unscoped full-vault access whenever collection lookup is unavailable. This weakens the security boundary and can mislead users into performing broader reads or writes than intended, especially in personal-vault deployments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation does not prominently warn that write and delete operations modify real vault contents and that scope may expand to the full vault if collection scoping is unavailable. In a secrets-management context, unclear warnings materially increase the risk of unintended modification, deletion, or rotation of credentials outside the expected collection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a Bitwarden session token from disk and exports it into the environment as BW_SESSION. This increases exposure of a highly sensitive credential because it persists on disk and may be inherited by child processes or exposed through process inspection, logs, backups, or permissive filesystem settings in the surrounding environment.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This script retrieves a secret from Bitwarden and stores it in a cache keyed by the requested item name, but provides no user-facing notice, consent, or guardrails around handling the password. In a skill context, silent secret retrieval and local caching increase the chance of unintended disclosure through cache reuse, weak file permissions, shared environments, or downstream automation consuming the plaintext secret without the user's awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes the live Bitwarden/Vaultwarden session token to disk in a persistent file under /run/openclaw/vw/. Even with restrictive permissions, storing a bearer-style session secret on disk increases exposure through local file disclosure, backups, container/host inspection, accidental volume mounts, or reuse by other local processes running as the same user.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal