ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Secure Autofill

v0.1.0

1Password-backed credential filling via vault_suggest/vault_fill (plugin tools).

0· 535·0 current·0 all-time
byZhihao@moodykong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim 1Password-backed autofill; included files (SKILL.md + onboard.sh) implement exactly that. However registry metadata declares no required env or primary credential while the runtime docs and script clearly expect/handle OP_SERVICE_ACCOUNT_TOKEN and gateway env updates. The missing declaration is an incoherence that affects trust decisions.
Instruction Scope
Instructions ask the operator/agent to write machine-local and gateway env files, optionally copy OP_SERVICE_ACCOUNT_TOKEN into the gateway env, modify tool allowlists, and restart the openclaw-gateway systemd user service. These actions are within the scope needed to enable a plugin that types secrets into the browser, but they involve modifying user config and restarting services and therefore touch sensitive local state.
Install Mechanism
There is no network install/download; the skill is instruction-first and ships a small onboarding script. No remote archives, URLs to execute, or package installs are performed by the skill itself (the SKILL.md suggests manually installing Chrome from Google's apt repo, which is a standard, explicit step).
!
Credentials
Functionality legitimately needs a 1Password service token (OP_SERVICE_ACCOUNT_TOKEN) and display-related env vars, but the skill metadata lists no required env vars. The onboarding script will propose copying the OP token into a gateway env file and the gateway process would therefore gain access to it; this is sensitive and should be explicitly declared and justified in metadata. Ensure principle of least privilege for any token used.
Persistence & Privilege
The skill does not request always:true and won't install persistent binaries. It does instruct optionally modifying the gateway env and restarting the openclaw-gateway user service so the gateway process can read the token — this grants the gateway process access to the secret and increases blast radius if the gateway is compromised. That behavior is plausible for the stated purpose but worth deliberate consent.
What to consider before installing
Before installing or running this skill: - Treat OP_SERVICE_ACCOUNT_TOKEN as a sensitive secret. Do not paste it into chat. Prefer creating a least-privileged 1Password service account/token for this use. - The metadata claims no required env vars but the skill will prompt to write OP_SERVICE_ACCOUNT_TOKEN (and DISPLAY/WAYLAND_DISPLAY) into a skill-local config and optionally into your gateway env (~/.config/openclaw/env). This is a material mismatch — expect the gateway process to gain access to the token if you allow copying. - The onboarding script can restart your openclaw-gateway systemd user service; only proceed if you understand and trust that service. - Verify the presence and provenance of the external tools the skill depends on (vault_suggest, vault_fill) and confirm they are allowed in your tool allowlist before enabling them. - Review the included onboard.sh yourself (it's short and readable) and run it manually in a terminal rather than letting an automated agent perform the onboarding. - If you decide to proceed, restrict file permissions on any env file that contains the OP token, and consider not copying the token into the gateway env (use skill-local config) unless necessary. Given the metadata mismatch around required environment access and the sensitive token handling, proceed only after manual review and applying the least-privilege principles.

Like a lobster shell, security has layers — review code before you run it.

latestvk979q1ax68tqzje9fe3pjejsv181m7e0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis

Comments