Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
Openclaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
Use this only if you intend to manage real secrets or wallet credentials for agents. Before copying examples, verify your 1Password account and vault permissions, keep session keys short-lived and tightly scoped, avoid shell-string command construction, and review destructive git cleanup commands carefully. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Static analysis
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 66
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If copied into a real system, the agent may gain limited but real ability to use wallet credentials and move funds within configured limits.
Why it was flagged
The skill is explicitly about agents retrieving delegated wallet credentials and using them for financial operations. This is high-impact access, but the same document frames it around bounded session keys, expiry, spending limits, and revocation.
Skill content
AGENT (Autonomous) ... 1. Retrieve session key from 1Password at startup ... 3. Execute transactions within permitted scope
Recommendation
Use only dedicated vaults and short-lived session keys with strict spending limits, allowed contracts, monitoring, and human confirmation for material transfers.
What this means
A poorly adapted implementation could let attacker-controlled input alter the local command being run.
Why it was flagged
The TypeScript example builds a shell command string for the 1Password CLI. This is purpose-aligned, but if copied with an untrusted itemName value it could become a shell-injection hazard.
Skill content
const output = execSync(`op item get "${itemName}" --vault "${vault}" --format json`,Recommendation
Prefer spawn/execFile-style APIs with argument arrays, or strictly validate item names before passing them to shell commands.
What this means
Running these commands without planning can rewrite shared repository history and affect collaborators.
Why it was flagged
The incident-response section includes forceful git history rewriting and force-push commands. They are disclosed and user-directed, but can disrupt repositories if run carelessly.
Skill content
git filter-branch --force ... git push origin --force --all
Recommendation
Use these commands only during a real secret-leak response, after revoking the secret, backing up the repository, and coordinating with collaborators.
What this means
Users may be confused about which package or publisher they are trusting.
Why it was flagged
The visible SKILL.md identifies the skill as Bagman while the registry name under evaluation is Openclaw. The purpose description matches, so this appears to be a branding or packaging inconsistency rather than deception.
Skill content
name: bagman ... # Bagman
Recommendation
Verify the publisher, homepage, and intended skill identity before relying on it for sensitive key-management guidance.