skill-state-manager
WarnAudited by ClawScan on May 11, 2026.
Overview
This credential-management skill is coherent, but it asks the agent to collect and persist arbitrary API tokens in local JSON files without clear scope limits or security controls.
Review carefully before installing. If you use it, only provide low-privilege, revocable tokens for tools you trust, assume the secrets may be stored as local JSON files, inspect and protect the listed directories, and delete or rotate credentials when no longer needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be asked to provide powerful tokens that let the agent or any compatible tool act on third-party accounts such as Jira, Notion, or custom business APIs.
The skill asks the agent to handle credentials for arbitrary third-party services and custom APIs, not a clearly bounded provider or credential scope.
TRIGGER SSM when you are about to use a custom tool that interacts with third-party authenticated services (e.g., Jira, Notion, Custom APIs) OR when a tool explicitly requires secrets.
Limit use to explicitly trusted tools and least-privileged, revocable tokens. The skill should declare supported credential types, expected scopes, and require explicit user confirmation before each new credential is stored or used.
Saved API keys may remain on disk indefinitely and could be exposed to other local processes, other skills, backups, or future agent runs that read the same state files.
The instructions persist secrets in local JSON state files that may be reused across future tasks, but the artifact does not specify encryption, file permissions, retention limits, deletion, or protection from other tools reading or overwriting them.
use the `Write` tool to save it into the JSON file ... write to `~/.claude/skills-state/<tool-name>.json` ... or `~/.ai-skills-state/<tool-name>.json`
Use an OS keychain or dedicated secret manager instead of raw JSON where possible. If local files are used, enforce restrictive permissions, document the exact paths, provide deletion/revocation instructions, and avoid storing high-privilege tokens.
Users may trust the skill more than warranted and paste sensitive secrets into chat believing they are protected like a secure password vault.
The artifact claims secure saving, but the described mechanism is writing user-provided secrets from chat into JSON files, with no supporting security controls described.
your AI will simply ask you for it once, save it securely ... Once the user provides the information in the chat, use the `Write` tool to save it into the JSON file
Replace the unsupported 'securely' claim with a clear disclosure of how secrets are stored, what protections exist, and what risks remain. Prefer secure secret-storage mechanisms and avoid asking users to paste high-value credentials into chat.