Bitwarden Bw

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill coherently uses the Bitwarden CLI, but it gives the agent access to passwords and TOTP codes through a persistent Bitwarden session that is not declared in the metadata.

Install only if you intentionally want this agent to access your Bitwarden vault. Do not keep BW_SESSION permanently in ~/.zshrc; use a short-lived session, confirm each password or TOTP retrieval, and verify the bw CLI comes from official Bitwarden sources.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

If installed as written, the agent or any process with access to the shell environment/profile may be able to use the user's Bitwarden session to retrieve vault secrets.

Why it was flagged

BW_SESSION is an authenticated Bitwarden vault session. Persisting it in a shell startup file gives future commands access to the user's password vault, and the supplied registry metadata declares no env vars or primary credential.

Skill content

`BW_SESSION` env var set (saved in `~/.zshrc`); Session key is in `BW_SESSION` env var (persisted in ~/.zshrc)

Recommendation

Declare BW_SESSION as a sensitive credential, avoid storing it permanently in ~/.zshrc, prefer short-lived `bw unlock --raw` sessions, and require user confirmation before any vault access.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

The agent could expose or use passwords and TOTP codes during a task without the user being clearly prompted at the moment of access.

Why it was flagged

These commands return passwords, full vault item data, and two-factor authentication codes to stdout. The skill does not define approval, redaction, logging, or reuse limits for those high-impact outputs.

Skill content

`bw get password "site_name"`; `bw get item "site_name" --pretty`; `bw get totp "site_name"`

Recommendation

Add explicit instructions to ask the user before retrieving or displaying any password, full item, or TOTP code, and to minimize secret exposure in responses.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the wrong or tampered CLI would expose Bitwarden credentials and vault data.

Why it was flagged

The skill depends on a globally installed npm package. This is expected for a Bitwarden CLI skill and is not auto-installed by the skill, but users should ensure it is the official package.

Skill content

`bw` CLI installed: `npm install -g @bitwarden/cli`

Recommendation

Install Bitwarden CLI only from official Bitwarden/npm sources and keep it updated.