secrets-manager
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the
keyvaultandkeyvault-aipackages directly from an unverified GitHub repository (github.com/ylz201/keyvault.git). as this repository belongs to an unverified author, its source and contents are unverifiable. - [COMMAND_EXECUTION]: The skill utilizes
pip installwith remote Git URLs for installation. It also includes thekeyvault injectcommand for executing local scripts with environment variable injection and provides an MCP server setup viapython -m keyvault.mcp_server. - [CREDENTIALS_UNSAFE]: The tool manages and accesses sensitive files at
~/.keyvault/master.keyand~/.keyvault/vault.dbto store encryption keys and secrets. While associated with the skill's purpose, these represent access to sensitive local security infrastructure. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by processing external secret data that is later injected into process environments.
- Ingestion points: Secret values and keys imported from
.envfiles or CLI arguments. - Boundary markers: No delimiters or instructions to ignore embedded commands are specified for the processed data.
- Capability inventory: File system access to the user's home directory and subprocess spawning via
keyvault inject. - Sanitization: No input validation or sanitization of stored secret values is described.
Audit Metadata