Private Secrets Skill Security Report — Low Risk | ClawSafe

5 /100

Private Secrets Skill

A skill for securely storing and managing private information (API keys, passwords, tokens, etc.)

Pure documentation skill (SKILL.md only) describing a secrets manager that stores data in plaintext JSON; no executable code or scripts present.

Skill NamePrivate Secrets Skill

Duration28.1s

Enginepi

✓

Safe to install

This skill is documentation-only. If deployed with an agent, verify the actual implementation does not exfiltrate secrets. Add encryption (e.g., age, GPG) to the storage mechanism in production.

Findings 1 items

Severity	Finding	Location
Low	Plaintext secrets storage declared in documentation Sensitive Access SKILL.md explicitly states that secrets are stored in `/workspace/skills/private-secrets-1.0.0/secrets.json` without encryption. This is documented but represents a data-at-rest risk. `此文件存储在本地，未加密` → If this skill is implemented, add encryption (e.g., age, GPG, or a vault solution) before storing secrets at rest.	`SKILL.md:16`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No implementation files exist; behavior inferred only from documentation

File Tree

1 files · 726 B · 37 lines

Markdown 1f · 37L

└─ 📝 SKILL.md Markdown 37L · 726 B

Security Positives

✓ No executable code, scripts, or binary files present — only a Markdown documentation file

✓ No network requests, encoding tricks, or obfuscation patterns detected

✓ No credential harvesting or exfiltration behavior described or implemented

✓ Secrets storage location is clearly declared and not a hidden path

✓ No dependencies (requirements.txt, package.json, etc.) that could introduce supply chain risk

✓ No evidence of reverse shell, C2, or data theft mechanisms

Scan Report

Findings 1 items

File Tree

Security Positives