vaultwarden
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides instructions that expose sensitive credentials and application data. Specifically, SKILL.md includes a docker inspect command used to view environment variables, which in a standard deployment contains plaintext secrets like SMTP_PASSWORD and ADMIN_TOKEN. It also details access to the /data/db.sqlite3 file, which is the core database containing the encrypted vault.
- [COMMAND_EXECUTION]: The skill utilizes several administrative commands to manage the container and application state. These include a variety of docker commands for container management and inspection, as well as curl for interacting with the Vaultwarden Admin API and tar for filesystem backups as detailed in SKILL.md.
- [EXTERNAL_DOWNLOADS]: The skill references and uses software images from well-known providers. It specifies the vaultwarden/server and caddy images from Docker Hub and provides documentation links to GitHub and Bitwarden's help center. These references are essential to the skill's function and originate from recognized sources.
- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection. It ingests untrusted data via docker logs and Admin API JSON responses in SKILL.md. No boundary markers or specific sanitization routines are defined to differentiate between application data and instructions. The agent's capabilities to execute docker and curl commands could potentially be misused if malicious instructions are embedded in the processed data.
Audit Metadata