Secrets Vault
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: secrets-vault Version: 1.0.0 The skill is classified as suspicious due to two primary reasons, despite the provided Python scripts (`crypto_utils.py`, `secrets_manager.py`) appearing well-implemented for local secret management. Firstly, the `SKILL.md` explicitly documents a feature (`python scripts/inject_env.py --run "python app.py"`) that allows the execution of arbitrary commands with injected secrets. While presented as a legitimate capability, this poses a significant Remote Code Execution (RCE) vulnerability risk if the AI agent were to be compromised via prompt injection. Secondly, the 'Secure Sharing' feature (`python scripts/share.py`) implies network communication to an external endpoint for sharing sensitive data. Without the `share.py` code, this represents a potential data exfiltration vector, even if described as 'secure' in the documentation. These capabilities, while not inherently malicious in their stated purpose, introduce high-risk behaviors that could be exploited.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Secrets could leak locally before they are encrypted into the vault.
The skill documents adding real API keys and passwords as command-line arguments. For a secrets manager, this is risky because command arguments may be recorded in shell history, process listings, terminal logs, or CI logs.
python scripts/secrets_manager.py add api.openai \ --type api_key \ --key sk-xxxxxxxx ... --password secret123
Prefer interactive prompts, stdin, or a secure OS keychain flow for entering secret values; clearly warn users not to pass real secrets as command-line flags.
If that session file is created and exposed, an attacker could guess the vault password much faster than by attacking the PBKDF2-protected vault file directly.
The code attempts to store a SHA-256 hash of the vault master password in a persistent session file. Even though the visible imports suggest this path may currently fail because hashlib is not imported, the intended design would create a fast offline verifier for the master password.
SESSION_FILE = VAULT_DIR / '.session' ... 'password_hash': hashlib.sha256(self.master_password.encode()).hexdigest()
Do not persist unsalted master-password hashes. Require re-entry, use an OS keychain, or use a short-lived session token that cannot be used to verify password guesses.
A user or agent may rely on nonexistent or unreviewed code for exporting or sharing secrets.
SKILL.md advertises these high-impact secret export, sharing, and auditing scripts, but the provided manifest contains only SKILL.md, scripts/crypto_utils.py, and scripts/secrets_manager.py. The advertised behavior is therefore not reviewable in the supplied artifacts.
| `inject_env.py` | Environment variable injection | | `share.py` | Secure sharing functionality | | `audit.py` | Password security auditing |
Include all referenced scripts in the package, remove unsupported feature claims, and declare dependencies and install paths explicitly.
The vault remains sensitive even when encrypted; a weak master password plus cloud or repository exposure could compromise stored secrets.
Persisting an encrypted vault is purpose-aligned, but the documentation encourages syncing that sensitive file through cloud or Git-backed locations.
The vault file is stored at `~/.secrets-vault/vault.enc` and can be synced: iCloud, Dropbox/Google Drive, Git
Use a strong unique master password, avoid syncing session/share metadata, and never commit auxiliary secret files or decrypted outputs.