bitwarden
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to interact with the Bitwarden CLI (
bw), including unlocking the vault and generating passwords. - [CREDENTIALS_UNSAFE]: Uses the
bw unlock --rawcommand to obtain a session token and stores it in theBW_SESSIONenvironment variable. This token grants full access to the vault for the duration of the session. - [CREDENTIALS_UNSAFE]: The skill retrieves and prints plain-text passwords from the vault to the terminal using a Python script. This behavior exposes sensitive credentials to terminal logs and the agent's context.
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download the Bitwarden CLI from official and well-known sources such as npm (@bitwarden/cli), Homebrew, and Winget.
- [INDIRECT_PROMPT_INJECTION]: The skill has a significant attack surface as it ingests untrusted data from the password vault (e.g., item names, usernames, and notes). If an attacker stores malicious instructions within vault entries, the agent could be manipulated when it retrieves and processes that data.
- Ingestion points: Data is pulled into the context via
bw list items. - Boundary markers: None identified; the agent processes the raw JSON output from the CLI.
- Capability inventory: The agent has shell access and can execute arbitrary
bwandpython3commands. - Sanitization: No explicit sanitization or filtering of vault content is performed before it is processed by the Python script or shown to the agent.
Audit Metadata