ClawHub

ArmorClaw

Security checks across malware telemetry and agentic risk

Overview

ArmorClaw is a real local secrets manager, but it needs review because its security claims do not match several high-impact credential-handling behaviors.

Install only after reviewing the credential-handling tradeoffs. Use the secure dependency path, avoid bot auto-unlock and ARMORCLAW_PASSWORD storage, avoid bulk environment injection unless every loaded process should see every secret, limit .env scanning to explicit paths, and treat export back to .env as temporary plaintext exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises substantial capabilities—environment access, file read/write, network access, and shell usage—yet declares no permissions. For a secrets-management skill, these capabilities are highly sensitive because they enable discovery, import, exposure, and transmission of credentials without clear user consent or sandboxing expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior expands beyond a local encrypted vault into plaintext secret export, bulk environment injection, password persistence for auto-unlock, network-based IP discovery, and broad filesystem scanning. These behaviors materially increase credential exposure risk and violate user expectations for a 'secure local vault,' especially because injecting secrets into process environments and storing unlock material weaken the stated security model.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The authentication path performs outbound requests to third-party IP lookup services, which contradicts the stated local-vault security model and creates unnecessary data exposure and dependency on external services. Even if only the public IP is retrieved, the request reveals metadata about vault usage and can fail, be intercepted, or be influenced by remote infrastructure during access-control decisions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
A 'bot' auto-unlock mode undermines the core protection of a master-password-protected secrets vault by enabling automated unlocking with stored credentials. In the context of a local secrets manager, this materially weakens the trust boundary: compromise of the host, process, or stored encrypted password path can yield immediate access to all managed secrets without interactive authentication.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The CLI intentionally exports decrypted vault contents into a plaintext .env file, which reintroduces the exact exposure the vault is supposed to mitigate. Although the command warns the user and requires confirmation, plaintext secret material on disk is a real security regression and can be exfiltrated by other local users, backups, malware, or accidental commits.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The initialization flow asks for the master password again and stores it in another application's config for auto-unlock, effectively creating a second, more accessible copy of the vault's root secret. Even with machine-bound encryption, this expands the attack surface to the OpenClaw config path and any code that can read or misuse that config on the same machine.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The function intentionally decrypts vault entries and writes them back to a plaintext .env file, which undermines the stated security boundary of a secure local vault. Although this appears to be a convenience feature rather than overtly malicious behavior, it materially increases exposure because secrets are persisted on disk in an unencrypted, commonly targeted format.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file claims to provide AES-256-CBC, but when the cryptography package is unavailable it silently switches to a custom SHA-256-based construction that is not AES and has not been validated as a secure block cipher. Because this skill is explicitly a secrets manager for API keys and credentials, users may trust the advertised encryption guarantees and store high-value secrets under materially weaker, nonstandard protection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata and module comments promise AES-256 encrypted secret storage, but the implementation may use a custom non-AES cipher whenever the optional dependency is missing. This mismatch is security-relevant because it can cause operators to deploy the vault in environments without cryptography installed, believing they still have standard AES-based protection for credentials.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The function scans broad default user directories such as ~/.openclaw, ~/projects, and ~/Documents recursively for .env files, which exceeds the minimum scope needed to import a user-specified file. In a secrets-management skill, this increases exposure to unrelated credentials and can enable unintended discovery of sensitive files without explicit user selection.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This is a real vulnerability. When the cryptography library is unavailable, the code silently switches from AES-CBC to a homegrown hash/XOR scheme that is not AES and has no sound security proof; custom cryptography is prone to confidentiality failures and the fallback decryption logic is not a true inverse of standard secure encryption. In a secrets manager, users may rely on the documented AES-256 claim and store high-value credentials under materially weaker protection without realizing it.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation states the blob is safe to store because only the original machine can decrypt it, but that assurance is overstated even before considering the fallback cipher: the key is deterministically derived from machine attributes like MAC address and hostname, which are not secret and may be guessable, readable locally, or reproducible in cloned/containerized environments. Because this skill is specifically for storing API keys and credentials, overstating security can directly lead users to place sensitive secrets under inadequate protection.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This is a true vulnerability because the product advertises AES-256 encrypted secret storage, yet the implementation conditionally uses a custom non-AES construction when a dependency is missing. That mismatch is especially dangerous in a secrets manager: operators may deploy it in minimal environments without cryptography installed and unknowingly protect tokens, API keys, and credentials with a weaker, nonstandard cipher.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
`inject_vault_env` unlocks the vault and exports every secret returned by `ck.list()` into `os.environ`, even when only a subset is needed. This greatly broadens secret exposure because any code in the same process, child processes, logs, crash dumps, or subprocess invocations may access all vault contents rather than only explicitly referenced keys.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Reading the master password from a global environment variable enables unattended unlock, but it also places a highly sensitive credential into a widely accessible channel. Environment variables are often inherited by subprocesses and may be exposed through debugging tools, process inspection, CI logs, or misconfigured telemetry, increasing the chance of vault compromise.

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
The module documentation emphasizes resolving `vault:` references at runtime, but the implementation also injects all vault secrets into `os.environ`. This mismatch can mislead integrators into assuming narrow secret resolution while actually causing broad secret exposure, which is a security-relevant behavior gap rather than a mere documentation issue.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README recommends loading all vault secrets into environment variables and optionally supplying the master password through an environment variable, but does not warn that environment variables are often inherited by child processes, exposed in logs/debug output, or readable by co-tenant tools. For a secrets product, this guidance can directly undermine the protection the vault is supposed to provide.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The public IP lookup contacts external services without any visible warning, consent flow, or disclosure to the user, causing unintended transmission of network-identifying metadata. For a tool marketed as a secure local vault, this mismatch increases risk because users may reasonably expect no outbound authentication-related telemetry or third-party dependencies.

Missing User Warnings

High
Confidence
99% confidence
Finding
The fallback instructions explicitly tell the user to manually place the master password into openclaw.json in plaintext if encryption/write logic fails. That creates an immediate compromise path for the vault's root credential via local file disclosure, backups, logs, editor history, or accidental sharing.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code captures a machine fingerprint and stores it as part of the lock configuration without any inline disclosure or consent prompt at the action point. While intended for device binding, machine fingerprints are sensitive identifiers and their silent collection can create privacy and trust issues, especially in a secrets-management tool.

Missing User Warnings

High
Confidence
96% confidence
Finding
The export routine writes decrypted secrets directly to a file without any explicit warning at execution time that the output is plaintext and persistent. In a secrets-manager context, this is particularly dangerous because users may assume the tool preserves vault-level protections, while the resulting .env file can be read by other local processes, backups, editors, or accidental commits.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The import_env method supports destructive post-import actions such as deleting or modifying the source .env file based solely on the caller-provided after argument, and this wrapper does not enforce an explicit confirmation step. In an agent setting, a compromised or overly permissive caller could erase configuration files unexpectedly, causing data loss or hindering recovery after import.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The env_inject method decrypts and returns all stored secrets in a plain dictionary, greatly expanding exposure compared with retrieving only a needed key. In an agent ecosystem with cross-skill interactions, this creates a bulk secret exfiltration primitive if an untrusted or compromised skill can invoke it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
handle_env_after_import can delete the original .env file or delete it after backup with no in-function confirmation, dry-run, or safeguard despite dealing with sensitive and operationally important files. This creates a realistic risk of accidental destructive actions, especially if called programmatically by another component or with untrusted parameters.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The access log records the caller's current IP address for every secret operation, which is sensitive network-derived metadata. In a secrets manager context, this creates an additional privacy and security exposure because compromise of the local vault or logs reveals operator network information and usage patterns without any evidence here of user consent, minimization, or an option to disable the collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal