ClawHub

A2A Vault

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate secrets-vault skill, but it gives an agent high-impact credential access without enough documented guardrails.

Install only if you trust the A2A plugin and PassBox provider. Use non-production vaults first, review .env contents before import, verify vault and environment names, and require explicit approval before retrieving, deleting, rotating, or injecting credentials into other tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents `passbox_delete_secret` as a normal operation but provides no guidance to require confirmation, backup, scoping, or recovery expectations. In a secrets-management context, accidental deletion can immediately break production systems or erase critical credentials, making this a real safety issue even if not overtly malicious.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow encourages importing a local `.env` file into the vault without warning users that `.env` files often contain highly sensitive production credentials and may include unintended values. Without privacy and handling guidance, users may bulk-upload secrets from the wrong environment or expose sensitive material during the import process.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes automatic secret injection into another tool via placeholder substitution but does not warn that downstream tools may log inputs, echo parameters, persist execution traces, or transmit the secret to third parties. In practice, this can bypass the protections of the vault and expose decrypted credentials at the point of use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal