Skillv1.0.3

ClawScan security

Wundervault Vault · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill legitimately needs access to a vault and long-lived credentials, but the package metadata omits those requirements and the install instructions ask you to store powerful secret keys in your agent config and install an npm package — these mismatches and the high privilege make this worth extra caution.
Guidance: Before installing: 1) Verify the source: confirm the @wundervault/mcp-server package and the wundervault project are trustworthy (check repository, maintainer, release signatures). 2) Ask the skill author why the skill metadata omits required env vars — metadata should list Vault URL, API key, encryption key, and agent ID. 3) Prefer self-hosting the Wundervault server or running the MCP package in an isolated environment you control. 4) Treat the Agent API Key and Encryption Key as high-value secrets: minimize their scope, use rotation, and restrict the agent vault's permissions. 5) Inspect the npm package code (and any binaries) before installing and avoid using shortened or unverified install sources. 6) Consider testing in a sandboxed agent or ephemeral workspace first — because vault_exec allows executing commands with injected secrets, a compromised MCP implementation or misconfiguration could expose or misuse secrets. 7) If you proceed, document where the keys are stored (openclaw mcp config) and who has access, and consider additional logging/alerts on high-risk Tier 2 operations.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (read secrets and run commands with secrets injected) matches the runtime instructions, but the registry metadata declares no required environment variables or primary credential while INSTALL.md clearly requires several sensitive values (Vault URL, Agent API Key, Agent Encryption Key, Agent ID). That omission is an incoherence: a vault integration legitimately needs those secrets, so they should be declared in the skill metadata.
Instruction Scope: concernSKILL.md instructs the agent to use vault_read, vault_exec, and vault_session_unlock to run arbitrary shell commands with secrets injected. While that is consistent with a vault's purpose, the instructions also point the user to INSTALL.md which tells them to register long-lived secrets into OpenClaw's MCP config. The skill allows execution of arbitrary commands with injected secrets (Tier 1 and Tier 2 flows) — this is powerful and requires careful trust in the MCP server implementation and configuration. The SKILL.md does not explicitly limit what commands are permitted beyond noting blocked shell-escape sequences, leaving room for risky use if misconfigured or if the MCP tool is compromised.
Install Mechanism: noteThere is no formal install spec in the skill bundle (instruction-only), but INSTALL.md instructs installing the @wundervault/mcp-server npm package (globally or locally) and registering an openclaw mcp command. Installing a third-party npm package is a standard approach but carries moderate risk: you should verify the package's provenance, inspect its code, and prefer installing from a known registry or your own self-hosted instance. The skill does not include or pin a release URL or checksum.
Credentials: concernFunctionally the skill requires several high-sensitivity environment/config values (vault URL, API key, encryption key, agent ID) which are necessary for operation — but these are not declared in the skill's required env metadata. Requiring an agent encryption key and API key is proportionate to the feature, but storing them as persistent env values in OpenClaw's MCP config concentrates high privilege; the metadata omission reduces transparency and makes it harder to audit what the skill will access.
Persistence & Privilege: noteThe skill does not set always:true and allows model invocation as normal. However INSTALL.md instructs registering the MCP command and embedding long-lived credentials into OpenClaw's MCP configuration, which gives the agent a persistent channel to the vault. That persistent access is expected for vault integrations but is high-privilege — ensure the MCP registration is scoped, audited, and the keys are rotated/limited as appropriate.