snappwd-share Security Report — Low Risk | ClawSafe

15 /100

snappwd-share

Securely share secrets, API keys, files, and credentials with OpenClaw agents and team members via self-destructing links

This is a legitimate secret-sharing skill that redirects users to use an external CLI tool (snappwd) or web interface for secure credential sharing. No malicious behavior detected - all functionality is declared and aligns with documented behavior.

Skill Namesnappwd-share

Duration34.7s

Enginepi

✓

Safe to install

This skill is safe to use. Consider pinning the @snappwd/cli version in documentation to reduce supply chain risk. The skill merely guides users to use the external tool rather than implementing the sharing mechanism directly.

Findings 1 items

Severity	Finding	Location
Low	Unpinned npm package dependency Supply Chain The documentation instructs users to install @snappwd/cli without a version pin ('npm install -g @snappwd/cli'). This creates a minor supply chain risk as the package could be updated with malicious code in the future. `npm install -g @snappwd/cli` → Consider specifying a version: npm install -g @snappwd/cli@latest or recommend reviewing the package before installation	`SKILL.md:48`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	Skill does not directly access filesystem - merely guides users to share files v…
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares network access via external snappwd.io service
Shell	`NONE`	`READ`	✓ Aligned	scripts/snappwd-share.sh uses 'snappwd put' command - declared as CLI integratio…
Environment	`NONE`	`NONE`	—	No environment variable access detected
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

7 findings

🔗

Medium External URL 外部 URL

https://snappwd.io**:

SKILL.md:22

🔗

Medium External URL 外部 URL

https://snappwd.io

SKILL.md:25

🔗

Medium External URL 外部 URL

https://snappwd.io/g/abc123...#encryption-key...

SKILL.md:54

🔗

Medium External URL 外部 URL

https://snappwd.io/g/abc123def456...#encryption-key...

references/cli-usage.md:19

🔗

Medium External URL 外部 URL

https://snappwd.io/g/abc123...#key...

references/cli-usage.md:43

🔗

Medium External URL 外部 URL

https://secrets.your-domain.com/api/v1

references/cli-usage.md:73

🔗

Medium External URL 外部 URL

https://snappwd.io/g/

references/cli-usage.md:82

File Tree

4 files · 10.7 KB · 360 lines

Markdown 3f · 320L Shell 1f · 40L

├─ ▾ 📁 references

│ ├─ 📝 cli-usage.md Markdown 85L · 1.5 KB

│ └─ 📝 security-model.md Markdown 110L · 3.3 KB

├─ ▾ 📁 scripts

│ └─ 🔧 snappwd-share.sh Shell 40L · 967 B

└─ 📝 SKILL.md Markdown 125L · 4.9 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@snappwd/cli`	`*`	npm	No	Version not pinned - installed via 'npm install -g @snappwd/cli'

Security Positives

✓ All functionality is clearly documented in SKILL.md with no hidden behavior

✓ Skill implements zero-knowledge encryption design - server never sees plaintext secrets

✓ One-time links with self-destruct mechanism prevents credential reuse

✓ Key-in-URL-fragment approach ensures encryption key never reaches the server

✓ No credential harvesting - skill is designed to help users SHARE secrets safely, not steal them

✓ No base64 obfuscation, reverse shells, or C2 communication detected

✓ References to sensitive paths (like ~/.ssh/id_rsa) are examples of what users CAN share, not what the skill accesses

✓ Shell execution is limited to documented CLI tool invocation for secret sharing

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives