ClawHub

Bitwarden

Security checks across malware telemetry and agentic risk

Overview

This Bitwarden helper is mostly legitimate, but it gives shell functions broad access to secrets and vault items with weak safeguards.

Review carefully before installing. Use it only with Bitwarden notes and vaults you fully trust, avoid bwce unless you intentionally want to store every exported environment variable, and treat bwe and bwe_safe as code execution from vault note contents. Prefer a limited Bitwarden account or collection and manually confirm item IDs before deleting anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
75% confidence
Finding
The skill description emphasizes loading secrets into memory and managing notes from .env files, but the content also supports destructive deletion, exporting current shell state into Bitwarden, and temporary on-disk handling. This mismatch can cause users to authorize or run the skill under a less risky mental model than its actual behavior, increasing the chance of accidental secret exposure or data loss.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill description promises secrets avoid files on disk, but bwc writes secret material derived from the .env file into a temporary file before uploading it to Bitwarden. Even with mktemp and chmod 600, this still creates an on-disk exposure window, can violate user expectations, and may leave recoverable traces via filesystem snapshots, backups, or crash scenarios.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
bwce exports the current shell environment to a temporary file, directly contradicting the claim that secrets only live in memory and die with the session. This is especially risky because the current environment may contain many unrelated secrets, tokens, and credentials that are persisted to disk and then uploaded to Bitwarden as a note.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
bwe_safe is labeled as safe, but it still passes note content into eval, which executes shell code in the current shell. An attacker who can influence the Bitwarden note content can achieve arbitrary command execution by crafting payloads that fit the allowed export pattern through shell substitution or quoting tricks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
bwe retrieves note contents and evals them directly into the current shell, silently modifying the environment and potentially executing arbitrary shell code. In a secret-management skill, this context makes the issue more dangerous because users are encouraged to trust vault contents and source them into privileged interactive sessions.

Missing User Warnings

High
Confidence
97% confidence
Finding
bwce uploads all current exported environment variables to Bitwarden without any warning, filtering, or confirmation. This can unintentionally exfiltrate unrelated credentials, session tokens, cloud keys, and other sensitive runtime state into long-term storage, greatly expanding blast radius if the vault is later accessed or shared.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
bwdd performs an irreversible destructive action without confirmation, increasing the chance of accidental deletion of vault items. In a secrets-management tool, destructive operations deserve stronger safeguards because mistakes can disrupt access to credentials and notes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal