Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Locker Vault
v1.0.0Secure credential and secrets management for OpenClaw agents using Locker Secrets Manager. Provides read-only and read-write vault access with in-memory cach...
⭐ 0· 48·0 current·0 all-time
byAlan Mosko@moskoweb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose (Locker secrets management) matches the included vault-client.js and documentation, but the registry metadata declares no required environment variables or primary credential even though the SKILL.md and CLI reference clearly require LOCKER_ACCESS_KEY_ID and LOCKER_SECRET_ACCESS_KEY (or interactive login) for the Locker CLI. That mismatch is unexpected and reduces transparency about what will be needed to operate the skill.
Instruction Scope
SKILL.md and references instruct agents to read/write config files, resolve vault:// references, and run the Locker CLI. Some documented patterns explicitly show exporting secrets into process environments or writing all secrets to a .env file (e.g., `locker secret list > .env`, `locker secret set && node app.js`, crontab examples piping secrets into curl). Those examples contradict core principles stated elsewhere (no .env, no raw secret output) and increase the risk of accidental secret exposure if followed without caution.
Install Mechanism
The registry has no install spec, but SKILL.md and references instruct installing the Locker CLI using a remote script: `curl -fsSL https://locker.io/secrets/install.sh | bash`. Asking users/agents to run an arbitrary remote install script is higher risk and should be reviewed. The skill relies on an external binary (locker) that is not managed by the skill bundle, so the installation step is out-of-band and potentially dangerous if the URL or script is compromised.
Credentials
The skill will require access to Locker credentials (LOCKER_ACCESS_KEY_ID and LOCKER_SECRET_ACCESS_KEY) to function, but those env vars are not declared in the skill metadata. The vault-client also executes subprocesses that inherit process.env, and the documentation includes patterns that expose secrets into spawned processes' environments. Requiring powerful credentials is proportionate to a vault client, but failing to declare them and providing patterns that export secrets increases the chance of accidental credential exposure.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform-wide persistence. Autonomous invocation (disable-model-invocation: false) is the default and not a standalone concern here. The skill does not appear to modify other skills or system-wide agent settings.
What to consider before installing
This skill implements a plausible Locker vault client, but there are several warning signs you should address before installing: (1) The registry metadata does not declare the Locker credentials (LOCKER_ACCESS_KEY_ID / LOCKER_SECRET_ACCESS_KEY) yet the skill requires them — ask the publisher to declare required env vars. (2) The docs recommend installing the Locker CLI by piping a remote install script (curl | bash). Avoid running that without auditing the script; prefer vetted packages or verifying the installer. (3) Several examples show exporting all secrets into .env or into a child process environment; these patterns can leak secrets. If you accept this skill, prefer read-only (ro) mode for unknown agents, require least privilege for access keys, and review the vault-client.js code for any unexpected network endpoints or hidden exec calls (the client uses execFile to run 'locker'). If you do not trust the Locker domain or cannot confirm the installer and credential handling, do not enable the skill. If possible, request the author to: declare required env vars in metadata, remove or clearly qualify dangerous .env/export examples, and provide a safer install mechanism (package or signed release).Like a lobster shell, security has layers — review code before you run it.
latestvk97fnq4r4n0zfgbvarv0rg7chn84fnsd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.