Keychain Access
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is purpose-built for macOS Keychain access, but it can enumerate, reveal, change, or delete credentials, and its safer password-input claim is overstated.
Install only if you intentionally want the agent to manage macOS Keychain entries. Use narrow service/account filters, avoid unfiltered listing, run --dry-run before changes, do not use --raw or --yes unless you explicitly approve the exact action, and be aware that setting a password may still expose it briefly in the security command's process arguments.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A password or API token supplied through stdin or an environment variable may still be briefly visible to local process-list inspection while the security command runs.
The README/SKILL guidance says stdin/env inputs keep secrets out of process listings, but this code still forwards the secret to the child security process as a command-line argument.
local cmd=(security add-generic-password -s "$SERVICE" -a "$ACCOUNT" -w "$PASSWORD" -U)
Do not rely on this helper to keep set-operation secrets out of process arguments. The author should document this residual exposure or change the implementation to avoid argv-based secret passing if possible.
If invoked too broadly, the agent could expose credential metadata or plaintext passwords in the session transcript or logs.
The skill can use the user's default Keychain search list and can reveal plaintext secrets with --raw, giving the agent access to a local password vault.
Operate on a specific keychain when provided (`--keychain`); otherwise, the default search list is used... Password output is masked by default; add `--raw` only when the user explicitly needs the secret value.
Use explicit --keychain, --service, and --account values, avoid unfiltered list operations, and require clear user approval before any --raw password reveal.
An agent using --yes without explicit authorization could overwrite or remove a Keychain entry without an interactive stop.
The helper has safety prompts by default, but it also exposes an automation flag that bypasses confirmation for high-impact credential updates or deletions.
--yes Skip confirmation prompts for set (update) or delete.
Only allow --yes after the user has clearly approved the exact service/account and operation; prefer --dry-run first for destructive actions.
The list operation may fail or run an undeclared local interpreter dependency in environments where python3 is absent or unexpected.
The list command invokes python3, but the registry requirements declare only the security binary.
rows=$(python3 - "$SERVICE" "$ACCOUNT" "$tmpfile" <<'PY'
Declare python3 as a required binary or replace the parser with dependencies already declared by the skill.