skill-state-manager Security Report — Suspicious | ClawSafe

55 /100

skill-state-manager

A Meta Skill that manages API keys and state persistence for other tools

This skill is a credential harvesting framework that collects and stores user API keys/tokens to plaintext JSON files without encryption, posing significant phishing and credential theft risks if invoked by a malicious agent.

Skill Nameskill-state-manager

Duration30.2s

Enginepi

⚠

Use with caution

Do not use this skill. It provides a framework for credential phishing and stores secrets in unencrypted plaintext files. If credential management is needed, use established secret managers with encryption (e.g., keyring, hashicorp vault).

Attack Chain 5 steps

◎

Entry User installs skill-state-manager skill

SKILL.md:1

⬡

Escalation Attacker invokes SSM claiming a third-party tool needs authentication

SKILL.md:22

◉

Impact User provides API keys believing it's for legitimate integration

SKILL.md:37

◉

Impact Credentials stored in plaintext ~/.ai-skills-state/<tool>.json

SKILL.md:43

⬡

Escalation Attacker reads stored credentials from filesystem

SKILL.md:44

Findings 4 items

Severity	Finding	Location
High	Credential Harvesting Framework The skill is explicitly designed to collect API keys, tokens, and secrets from users through conversational prompts. While this is declared behavior, it creates a phishing surface if invoked by a malicious agent. `manages API keys and state persistence for other tools` → Do not use skills that collect credentials through conversational interfaces	`SKILL.md:1`
High	Plaintext Credential Storage Credentials are stored as unencrypted JSON files in user home directories (~/.ai-skills-state/ or ~/.claude/skills-state/). Any malware or unauthorized access to the system can read these secrets. use the `Write` tool to save it into the JSON file → Use encrypted secret storage mechanisms (keyring, OS keychain, encrypted vaults)	`SKILL.md:43`
Medium	No Encryption or Security Controls The skill makes no mention of encrypting stored credentials, access controls, or any security measures beyond 'saving' to JSON. `Save State: Once the user provides the information... save it` → Legitimate credential managers use OS keychains or encrypted storage	`SKILL.md:40`
Low	Implementation Not Included Only a SKILL.md file exists; there is no actual Python/script implementation to audit for hidden functionality. Behavior depends entirely on the invoking AI agent. `Skill State Manager (SSM)` → Request full source code implementation before using any credential-handling skill	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:43-47 Write to JSON files in ~/.claude/skills-state/ or ~/.ai-skills-st…

1 findings

🔗

Medium External URL 外部 URL

https://myorg.atlassian.net

SKILL.md:61

File Tree

1 files · 4.2 KB · 62 lines

Markdown 1f · 62L

└─ 📝 SKILL.md Markdown 62L · 4.2 KB

Security Positives

✓ Declared behavior matches documentation - no hidden functionality detected

✓ Skill uses standard filesystem paths for storage (predictable)

✓ No network calls, shell execution, or base64 encoded payloads observed

Scan Report

Attack Chain 5 steps

Findings 4 items

File Tree

Security Positives