Back to skill
Skillv2.0.0
ClawScan security
A2A Vault · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 22, 2026, 8:50 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match a secrets-vault purpose, but it instructs the agent to read local .env files and expose bulk-secret operations without declaring file/config access or provenance for the install package, which is disproportionate and worth caution.
- Guidance
- Before installing, verify the npm package provenance and vendor: look up @a2a/openclaw-plugin on the registry, inspect its source repository and recent releases, and confirm the publisher identity. Ask the author to declare any required file paths/permissions (reading .env) and to explain how decrypted secrets are handled, logged, or transmitted (especially with passbox_get_environment and a2a_secure_execute). If you plan to use this in sensitive environments, consider restricting the agent's file access or testing in a low-risk environment first, and require explicit confirmation before any bulk export/injection of secrets. If you cannot verify the package source or the team, treat the installation as higher-risk and avoid granting the agent access to production .env files or production secrets until you have more provenance.
- Findings
[no-findings] expected: The static regex scanner found no matches because this is an instruction-only skill with no code files. That absence is not evidence of safety; the SKILL.md itself instructs local file access and secret retrieval which the scanner could not analyze.
Review Dimensions
- Purpose & Capability
- okName/description (zero-knowledge secrets management) align with the listed passbox_* tools (store, retrieve, list, rotate, import .env, inject into executions). The install spec (npm package @a2a/openclaw-plugin) plausibly provides those tools.
- Instruction Scope
- concernSKILL.md explicitly instructs the agent to "Read your local .env file" and to perform bulk retrievals (passbox_get_environment) and automated injection (a2a_secure_execute). The skill declares no required config paths or file permissions, and does not constrain how retrieved plaintext secrets may be handled or transmitted. Asking the agent to read local files and resolve placeholders increases the risk of unintended exfiltration and is not declared in the metadata.
- Install Mechanism
- noteThe install uses an npm package (@a2a/openclaw-plugin). That's a typical mechanism but adds moderate risk compared with instruction-only skills. There is no homepage, source repository, or release provenance in the metadata, which reduces confidence in the package's trustworthiness.
- Credentials
- concernNo environment variables or credentials are requested, which is reasonable. However, the skill instructs reading local .env files and retrieving entire environment secret sets without declaring file/config access; that implicit request for local file access and bulk secret access is disproportionate to the metadata and should be explicitly declared and justified.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. The skill does not request persistent system-wide privileges in the manifest and does not claim to modify other skills or system configs.