Trust Assessment
secret-manager received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Arbitrary code execution via user-controlled sourced file, Command injection via user-controlled Distrobox container name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary code execution via user-controlled sourced file The script sources the file specified by the `SECRETS_ENV_FILE` environment variable (defaulting to `~/.config/openclaw/secrets.env`). If an attacker can control the `SECRETS_ENV_FILE` environment variable or modify the content of the default file, they can inject and execute arbitrary shell commands with the privileges of the user running the skill. This constitutes a critical command injection vulnerability. Avoid sourcing user-controlled files. If environment variables are needed, they should be explicitly read and parsed, or set directly without sourcing. For example, use a safer parsing method like `read -r VAR_NAME < <(grep '^VAR_NAME=' "$SECRETS_FILE" | cut -d= -f2)` for specific variables. | LLM | secret-manager.sh:120 | |
| HIGH | Command injection via user-controlled Distrobox container name The `CONTAINER_NAME` variable, which is user-controlled via the `OPENCLAW_CONTAINER` environment variable, is directly interpolated into a `distrobox enter` command. If `OPENCLAW_CONTAINER` contains shell metacharacters (e.g., `"; rm -rf /"`), an attacker can execute arbitrary commands on the host system outside the intended `distrobox enter` context. Sanitize or strictly validate the `OPENCLAW_CONTAINER` variable to ensure it only contains valid container name characters. Alternatively, use a `distrobox` command that explicitly separates arguments from the container name, if supported, or ensure the variable is properly quoted and escaped if it must contain special characters (though sanitization is preferred for names). | LLM | secret-manager.sh:130 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/jswortz/secret-manager/secret-manager.sh:12 | |
| MEDIUM | API key exposed on command line during JSON patching The sensitive API key (`$VALUE`) is passed as a command-line argument (`sys.argv[3]`) to a `python3 -c` script. This means the secret can be visible in process lists (`ps aux`), system logs, or shell history, making it vulnerable to credential harvesting by other users or processes on the system. Pass sensitive data to scripts via standard input (stdin) or environment variables, rather than command-line arguments. For example, `echo "$VALUE" | python3 -c "import sys, json; path=sys.argv[1]; profile_id=sys.argv[2]; value=sys.stdin.read().strip(); ..." "$AUTH_PROFILES" "$PROFILE_ID"`. | LLM | secret-manager.sh:100 |
Scan History
Embed Code
[](https://skillshield.io/report/17aeb392223e0f73)
Powered by SkillShield