Back to skill

Security audit

Bitwarden CLI

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Bitwarden CLI skill that is purpose-aligned, but users should handle vault sessions and exported secrets carefully.

Install only the official Bitwarden CLI, use the skill for specific vault tasks rather than broad unattended access, avoid pasting or exporting long-lived secrets in shared shells, unset sensitive environment variables after use, verify item IDs before any create or edit command, and lock or log out of Bitwarden when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented create/edit examples expand the skill from install/auth/read into write operations that can modify vault contents, including credentials. In a secrets-management context, encouraging mutation materially increases the blast radius of misuse or prompt-injection-driven actions because an agent could overwrite, poison, or create misleading vault items rather than only retrieve data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples export secrets into environment variables and interpolate them directly into command lines without warning about leakage risks. In practice, secrets placed in environment variables or argv can persist in shell history, child-process environments, logs, crash dumps, or process inspection tooling, which is especially risky in an agent workflow handling vault contents.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prerequisite instructs users to export BW_SESSION without noting that it is a bearer credential that grants vault access for the active session. If exposed through shell history, terminal scrollback, inherited environments, logs, or debugging output, an attacker or adjacent process could reuse the token to access secrets without re-authentication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to export Bitwarden API credentials and a raw session token into shell environment variables, but it does not warn that these values may be exposed through shell history, process environments, terminal scrollback, CI logs, or other local inspection mechanisms. Because this skill is specifically about secret management, omitting handling guidance for highly sensitive credentials increases the chance that users will leak long-lived API secrets or active vault session tokens.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The tmux workflow encourages keeping an unlocked Bitwarden session alive in a long-lived terminal multiplexer session without warning that the `BW_SESSION` token may remain accessible to anyone who can access that terminal, shell state, scrollback, or inherited environment. In the context of a password-manager skill, preserving an active decrypted vault session for convenience materially raises the risk of unauthorized secret access on shared or persistent systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.