Private Secrets Skill 安全扫描报告 — 低风险 | ClawSafe

5 /100

Private Secrets Skill

A skill for securely storing and managing private information (API keys, passwords, tokens, etc.)

Pure documentation skill (SKILL.md only) describing a secrets manager that stores data in plaintext JSON; no executable code or scripts present.

技能名称Private Secrets Skill

分析耗时28.1s

引擎pi

✓

可以安装

This skill is documentation-only. If deployed with an agent, verify the actual implementation does not exfiltrate secrets. Add encryption (e.g., age, GPG) to the storage mechanism in production.

安全发现 1 项

严重性	安全发现	位置
低危	Plaintext secrets storage declared in documentation 敏感访问 SKILL.md explicitly states that secrets are stored in `/workspace/skills/private-secrets-1.0.0/secrets.json` without encryption. This is documented but represents a data-at-rest risk. `此文件存储在本地，未加密` → If this skill is implemented, add encryption (e.g., age, GPG, or a vault solution) before storing secrets at rest.	`SKILL.md:16`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No implementation files exist; behavior inferred only from documentation

目录结构

1 文件 · 726 B · 37 行

Markdown 1f · 37L

└─ 📝 SKILL.md Markdown 37L · 726 B

安全亮点

✓ No executable code, scripts, or binary files present — only a Markdown documentation file

✓ No network requests, encoding tricks, or obfuscation patterns detected

✓ No credential harvesting or exfiltration behavior described or implemented

✓ Secrets storage location is clearly declared and not a hidden path

✓ No dependencies (requirements.txt, package.json, etc.) that could introduce supply chain risk

✓ No evidence of reverse shell, C2, or data theft mechanisms