ClawHub
Back to skill

Security audit

Keychain Access

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed macOS Keychain helper, but it handles sensitive credentials and overstates how safely it keeps stored passwords out of process arguments.

Install only if you want an agent to manage local macOS Keychain credentials. Use --raw only when you are comfortable putting the secret in the conversation or logs, prefer explicit --keychain plus service/account filters, use --dry-run before changes, and do not rely on password-stdin or password-env to fully keep stored passwords out of process arguments until the helper is fixed or documented accurately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no permissions even though it clearly enables reading from the macOS Keychain via the `security` CLI, including listing entries and retrieving credential metadata or secrets. This creates a capability/permission mismatch that can bypass policy review and allow an agent to access sensitive local credentials without an explicit declaration of that access.

Credential Access

High
Category
Privilege Escalation
Content
- Never print secrets unless the user explicitly asks to reveal them (`--raw`). Routine `get` calls only report metadata with the password hidden.
- Ask the user to confirm before modifying or deleting existing entries. The script prompts by default and accepts `--yes` to skip the prompt for automation.
- Support a `--dry-run` mode so agents can preview the `security` command without touching the Keychain.
- Supply secrets via `--password-stdin`, `--password-env`, or the hidden interactive prompt. The legacy `--password` option leaves values in shell history and process listings (the helper warns when it's used), so prefer the safer inputs; `--password-env VAR` reads the var and unsets it immediately to keep the secret out of the environment.
- Operate on a specific keychain when provided (`--keychain`); otherwise, the default search list is used. Avoid leaking system passwords by defaulting to explicit service/account filters.
Confidence
81% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
Stored credential for 'test-service' / 'test-user'.

# 3) Get the credential (masked by default, raw only when asked)
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
Confidence
84% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
Stored credential for 'test-service' / 'test-user'.

# 3) Get the credential (masked by default, raw only when asked)
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
Confidence
84% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
Stored credential for 'test-service' / 'test-user'.

# 3) Get the credential (masked by default, raw only when asked)
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
Confidence
84% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
Stored credential for 'test-service' / 'test-user'.

# 3) Get the credential (masked by default, raw only when asked)
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
Confidence
84% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
Stored credential for 'test-service' / 'test-user'.

# 3) Get the credential (masked by default, raw only when asked)
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
Confidence
84% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
version: 256
class: "genp"
attributes:
Confidence
78% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
version: 256
class: "genp"
attributes:
Confidence
78% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
./skills/keychain-access/keychain-access.sh get   --service test-service --account test-user   --keychain /tmp/keychain-access-test.keychain --raw
# Output:
password: "<SERVICE_SECRET>"
keychain: "/private/tmp/keychain-access-test.keychain"
version: 256
class: "genp"
attributes:
Confidence
78% confidence
Finding
keychain

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal