OpenClaw Credential Manager

Security checks across malware telemetry and agentic risk

Overview

This credential-security skill is mostly coherent, but it needs review because it broadly scans and centralizes secrets while recommending unsafe passphrase and GPG handling patterns.

Install only if you explicitly want this tool to read, migrate, encrypt, back up, and potentially delete local credential files. Review every scanned path before consolidation or cleanup, keep verified backups, avoid --yes for first-time migrations, do not store OPENCLAW_GPG_PASSPHRASE in ~/.openclaw/.env, and prefer gpg-agent, an OS keychain, hardware-backed storage, or manual passphrase entry for encrypted secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (38)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly instructs scanning files, reading environment data, writing credential stores, and invoking shell commands, yet it declares no permissions. That mismatch undermines review and consent because users cannot accurately assess the skill's operational reach before using it.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The document states high-value secrets should never exist as plaintext on disk, but later recommends storing the GPG passphrase in the same plaintext .env used to protect those secrets. If an attacker reads ~/.openclaw/.env, they gain both the encrypted secret references and the passphrase needed to decrypt them, collapsing the security boundary.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The 'secure/new' examples build shell commands containing a passphrase and encourage sourcing the entire .env into the shell environment. This can leak secrets through process listings, child-process inheritance, shell tracing/logging, or command-injection if values contain metacharacters, directly contradicting the stated secure-handling model.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The module is described as encryption-focused hardening, but it also supports decrypting secrets back into plaintext `.env` files. In a credential-management skill, this mismatch is dangerous because operators may rely on the documentation and unintentionally reintroduce plaintext secrets into a file the tool claims to harden.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script can restore encrypted secrets into plaintext `.env`, directly undermining the stated purpose of secure credential hardening. In this skill context, handling API keys and private keys, that capability materially increases the chance of credential exposure through backups, accidental commits, file reads by other tooling, or later exfiltration from disk.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The self-test validates GPG using symmetric encryption with an empty passphrase and loopback mode, which does not meaningfully test the real security posture expected for protected secrets. In a credential-management skill, this can mislead users into believing GPG is correctly securing secrets when the tested path bypasses normal interactive/passphrase protections and may normalize unsafe configuration choices.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The document mandates a single hardcoded credential path under a specific user's home directory (`/home/phan_harry/.openclaw/.env`) with no configurability. This creates a brittle and potentially unsafe design: tools may read from or write secrets to the wrong account, encourage unsafe cross-context sharing of credentials, and break isolation between projects, users, or environments.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly documents decrypting private keys back to plaintext but does not warn that doing so can expose secrets on disk, in shell history, process memory, logs, or temporary files. In a credential-management skill, omitting this warning is security-significant because users may treat decryption as routine and reintroduce the exact plaintext-secret risk the skill is meant to reduce.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README instructs users to run cleanup that removes old credential files without clearly marking the step as destructive or advising verification and backup review first. In a credential migration context, this can cause irreversible deletion of still-needed secrets or evidence needed for rollback, potentially leading to service outages or credential loss.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The documentation explicitly instructs users to place the GPG passphrase in plaintext within the main .env file, without an adequate warning that this largely defeats the benefit of encrypting the protected secrets. Anyone who obtains that file can automate decryption of the supposedly protected material.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This document explicitly enumerates many credential file patterns, secret variable names, and normalization behavior for auto-detection, but it provides no safety guidance about minimizing exposure, limiting scan scope, redacting output, or avoiding ingestion of unrelated secrets. In the context of a credential-management skill, that omission is security-relevant because it encourages broad secret discovery and transformation workflows that could accidentally collect, display, or mishandle high-value credentials across a repository or workstation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes directly to ~/.gnupg/gpg-agent.conf and appends to ~/.gnupg/gpg.conf, changing user-wide GPG behavior without an explicit confirmation prompt or strong warning. In a credential-management context, silently altering global crypto settings is risky because it can affect unrelated GPG usage and weaken expected protections, especially by enabling loopback pinentry.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # Interactive mode (prompts before changes) ./scripts/consolidate.py # Auto-confirm (no prompts) ./scripts/consolidate.py --yes # Backup only
Confidence: 83% confidence
Finding: Auto-confirm

Credential Access

High

Category: Privilege Escalation
Content: - `~/.openclaw/workspace/skills/*/.env` ❌ → Root - `~/.openclaw/workspace/skills/*/repo/.env` ❌ → Root - `~/.openclaw/workspace/scripts/.env` ❌ → Root - `~/.config/*/credentials.json` ❌ → Root - Any scattered API key files ❌ → Root ## Enforcement
Confidence: 96% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: The credential-manager skill enforces this rule: 1. **Scan:** Detects ALL .env files and credential files 2. **Consolidate:** Merges everything into `~/.openclaw/.env` 3. **Cleanup:** Removes scattered files (after backup) 4. **Validate:** Ensures no scattered files remain
Confidence: 97% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: - `~/.openclaw/workspace/.env` — Workspace env files - `~/.openclaw/workspace/*/.env` — Subdirectory env files - `~/.openclaw/workspace/skills/*/.env` — Skill env files - `~/.local/share/*/credentials.json` — Local share directories **Sensitive Key Patterns:** - API keys, access tokens, bearer tokens
Confidence: 88% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Includes GPG encryption for high-value secrets, credential rotation tracking, deep scanning, and backup hardening. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. --- # Credential Manager
Confidence: 85% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: --- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Includes GPG encryption for high-value secrets, credential rotation tracking, deep scanning, and backup hardening. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. --- # Credential Manager
Confidence: 85% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: private_key=$(jq -r '.custodyPrivateKey' "$FARCASTER_CREDS") # NEW (secure, GPG-aware): ENV_FILE="$HOME/.openclaw/.env" _load_cred() { local key="$1"
Confidence: 94% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: const privateKey = creds.custodyPrivateKey; // NEW (secure, GPG-aware): const ENV_PATH = path.join(os.homedir(), '.openclaw/.env'); const SECRETS_PATH = path.join(os.homedir(), '.openclaw/.env.secrets.gpg'); function loadCred(key) {
Confidence: 96% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: #!/usr/bin/env bash set -euo pipefail # Validate .env exists and is secure if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then exit 1 fi
Confidence: 87% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: import os from pathlib import Path # Load .env env_file = Path.home() / '.openclaw' / '.env' with open(env_file) as f: for line in f:
Confidence: 82% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: from pathlib import Path # Load .env env_file = Path.home() / '.openclaw' / '.env' with open(env_file) as f: for line in f: if '=' in line and not line.strip().startswith('#'):
Confidence: 82% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: - `~/.local/share/*/credentials.json` — Local share directories **Sensitive Key Patterns:** - API keys, access tokens, bearer tokens - Secrets, passwords, passphrases - OAuth consumer keys - Private keys, signing keys, wallet keys
Confidence: 80% confidence
Finding: access tokens

Credential Access

High

Category: Privilege Escalation
Content: # Common credential file patterns CREDENTIAL_PATTERNS = [ "~/.config/*/credentials.json", "~/.config/*/*.credentials.json", "~/.openclaw/*.json", "~/.openclaw/*-credentials*",
Confidence: 84% confidence
Finding: credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal