ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pandora

v0.1.0

Pandora namespace for Netsnek e.U. secrets and configuration management vault. Securely stores API keys, database credentials, and environment configs with v...

0· 616·0 current·1 all-time
by@kleberbaum
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description advertise a full-featured secrets vault (encryption at rest/in transit, backends such as KMS or remote vault, rotation, access control). The package contains only an instruction file and a tiny script that only echoes which mode was requested; there is no code to encrypt, persist, rotate, list keys, integrate with KMS, or enforce access control. The claimed capabilities would legitimately require additional code, credentials, or config that are not present.
!
Instruction Scope
SKILL.md tells users to run scripts/vault-ops.sh to store/rotate/list secrets and describes behavior such as prompting for secret values, reading stdin, and returning rotated values. The shipped script does not implement these behaviors — it only parses flags and prints mode messages. The instructions therefore promise actions that the runtime does not perform, which is misleading and could lead users to believe secrets are being managed when they are not.
Install Mechanism
There is no install spec and this is instruction-only with a small script file. That is low-risk from an installation perspective — nothing is downloaded or extracted from external URLs.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to what is actually shipped (a no-op script). However, given the declared purpose (KMS/backends, production vault), one would normally expect credentials or configuration requirements; the absence is another sign of incompleteness or misrepresentation.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It requests exec permission in metadata so it can run the provided script; this is reasonable for a script-driven skill. There is no evidence it persists credentials, modifies other skills, or requests system-wide privileges.
What to consider before installing
Do not use this skill to store real secrets. The documentation describes vault behavior (encryption, rotation, KMS, returning secret values) but the included script only prints which mode was requested and does not implement storage, encryption, or network/back-end integration. Before installing or using: (1) ask the author for the full implementation and provenance (homepage, repo); (2) review and validate the actual code that will read/write secrets and any network calls; (3) require explicit documentation of encryption algorithms, key management, and required credentials; (4) if you must test, do so in an isolated environment with dummy secrets only; (5) prefer well-known, audited vault solutions for production secrets. If the author provides a real implementation, re-evaluate to ensure required env vars and backend access are appropriate and proportional.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

OSLinux
latestvk974ydz9c0p7jep1dwv88sdaq981dbx8
616downloads
0stars
1versions
Updated 5h ago
v0.1.0
MIT-0
Linux
@kleberbaum
latest
Download

Pandora

Guard Your Secrets

Pandora is a secrets vault for applications and teams. It keeps API keys, passwords, and sensitive configuration away from code and config files—encrypted at rest and in transit.

Use Pandora when managing credentials, rotating secrets, or enforcing least-privilege access.

Vault Architecture

  • Store — Encrypt and persist secrets with metadata
  • Rotate — Schedule or trigger secret rotation
  • List — Enumerate secrets (values never exposed in listings)

Operations Guide

# Store a new secret
./scripts/vault-ops.sh --store --key "db_password" --value "secret"

# Rotate an existing secret
./scripts/vault-ops.sh --rotate --key "api_token"

# List all secret keys (no values)
./scripts/vault-ops.sh --list-secrets

Arguments

ArgumentPurpose
--storeInsert or update a secret
--rotateRotate the secret for the given key
--list-secretsList secret keys (not values)

Security Walkthrough

  1. Store: vault-ops.sh --store --key prod_db_pw — Prompts for value or reads from stdin.
  2. List: vault-ops.sh --list-secrets — Shows keys only; never outputs values.
  3. Rotate: vault-ops.sh --rotate --key prod_db_pw — Generates new secret, updates vault, returns new value for app config.

Comments

Loading comments...