Skill Trust Decision
authlock
AuthLock provides legitimate TOTP-based secret encryption but contains an undocumented subprocess execution feature with shell=True that poses command injection risk.
Most direct threat evidence
High
Shell command injection vulnerability in --exec The cmd_open function uses subprocess.run(shell=True) with the user-supplied --exec argument. While the example shows legitimate use for SSH, the command is not sanitized and could allow command injection if metacharacters are included in args.exec.
authlock_cli.py:336 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
3 dependency or supply-chain issues need attention.
What drove the risk score up
Shell injection risk in subprocess +20
cmd_open uses subprocess.run(shell=True) with user-supplied exec argument without validation
Sensitive path access documented +10
~/.ssh/id_rsa and similar sensitive files are explicitly mentioned in examples
Remote execution capability +5
--exec flag allows command execution, partially documented in SKILL.md
Most important evidence
High
Shell command injection vulnerability in --exec
The cmd_open function uses subprocess.run(shell=True) with the user-supplied --exec argument. While the example shows legitimate use for SSH, the command is not sanitized and could allow command injection if metacharacters are included in args.exec.
authlock_cli.py:336 Use subprocess.run with shell=False and pass command as list, or implement strict input validation to prevent shell injection.
Medium
Sensitive path access not prominently documented
The SKILL.md examples show encrypting ~/.ssh/id_rsa but this sensitive path access is not declared in the capability requirements section.
SKILL.md:45 Document that the tool accesses user home directory and sensitive files for encryption purposes.
Low
TOTP seed stored in plaintext config
The TOTP seed is stored in config.json without additional encryption beyond file permissions. While this is standard practice, the seed is the critical secret.
authlock_cli.py:103 Consider documenting that config.json should be protected with appropriate file permissions.
Declared capability vs actual capability
Filesystem Pass
Declared READ,WRITE
→ Inferred READ,WRITE
SKILL.md:seal/open commands; authlock_cli.py:cmd_seal,cmd_open Shell Block
Declared NONE
→ Inferred WRITE
authlock_cli.py:336 - subprocess.run(cmd, shell=True) Environment Pass
Declared NONE
→ Inferred READ
SKILL.md:OPENCLAW_WORKSPACE,AUTHLOCK_HOME usage Network Pass
Declared NONE
→ Inferred NONE
No network requests found Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| cryptography | * | pip | No | Standard encryption library |
| pyotp | * | pip | No | TOTP generation |
| qrcode | * | pip | No | QR code display |
File composition
2 files · 986 lines
Python 1 files · 728 linesMarkdown 1 files · 258 lines
Files of concern · 2
authlock_cli.py Shell command injection vulnerability in --exec · TOTP seed stored in plaintext config
SKILL.md Sensitive path access not prominently documented
Security positives
TOTP-based MFA provides strong authentication for decryption
AES-256-GCM with PBKDF2-SHA256 for encryption (industry standard)
No evidence of network exfiltration or data theft
Security notes prohibit echoing plaintext in conversation
PIN optional second factor implemented
Temporary files cleaned up after execution
File permissions set to 0o600 for decrypted secrets