secrets-hygiene
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an audit mechanism that is vulnerable to indirect prompt injection. It recursively scans and parses the contents of all files within other installed skill directories to identify credential names and includes these names in its report. Evidence: (1) Ingestion points: audit.py reads file content from ~/.openclaw/extensions and ~/.openclaw/skills. (2) Boundary markers: The extracted identifier strings are included in the report output without delimiters or instructions for the agent to ignore them. (3) Capability inventory: The skill is designed for the agent to interpret the audit report and initiate dialogue with the user regarding rotation or revocation actions. (4) Sanitization: Identifier names extracted via regex are not sanitized or validated before presentation to the agent.
- [SAFE]: The skill operates locally on the user's filesystem and does not initiate network connections or external data transmissions.
- [SAFE]: Credential scanning is restricted to directories containing agent skill metadata, preventing access to system-level secrets like SSH keys or cloud provider configurations unless they are stored within a skill's directory.
Audit Metadata