olares-settings@ 1.2.0
github.com/clawhub.ai/olares-settings
Scanned Thu, 28 May 2026 15:29:57 GMT
Scan ID crawl-imh10ue6dwxevg4jvh7u9wst · 8ms
F
SCORE 0 / 100
Verdict: Do not install
3 critical findings.
This skill exfiltrates environment secrets ($AWS_ACCESS_KEY_ID) plus 3 other issues listed below.
3 critical0 high1 medium8 rules passed
Why grade F?
score · 0 / 100The current grade reflects 3 critical findings (any 2+ CRITs → F).
3 CRIT0 HIGH1 MED0 LOW
To reach a higher grade
- DReach Dtarget score 30
Resolve 2 of your 3 CRIT findings — any single CRIT still keeps you at D.
- CReach Ctarget score 55
Resolve all 3 CRIT findings.
- BReach Btarget score 75
Resolve all 3 CRIT.
- AReach Atarget score 95
Resolve all 3 CRIT.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
critSkill references secret env var $AWS_ACCESS_KEY_IDThe skill instructions reference `$AWS_ACCESS_KEY_ID`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $AWS_ACCESS_KEY_ID
The skill instructions reference `$AWS_ACCESS_KEY_ID`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
283```bash
284olares-cli settings integration accounts add awss3 \
285 --access-key-id "$AWS_ACCESS_KEY_ID" \← references $AWS_ACCESS_KEY_ID — potential credential leak
286 --access-key-secret "$AWS_SECRET_ACCESS_KEY" \
287 --endpoint "https://s3.amazonaws.com" \
critSkill references secret env var $AWS_SECRET_ACCESS_KEYThe skill instructions reference `$AWS_SECRET_ACCESS_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $AWS_SECRET_ACCESS_KEY
The skill instructions reference `$AWS_SECRET_ACCESS_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
284olares-cli settings integration accounts add awss3 \
285 --access-key-id "$AWS_ACCESS_KEY_ID" \
286 --access-key-secret "$AWS_SECRET_ACCESS_KEY" \← references $AWS_SECRET_ACCESS_KEY — potential credential leak
287 --endpoint "https://s3.amazonaws.com" \
288 --bucket "my-bucket" # optional
critSkill references secret env var $AWS_SECRET_ACCESS_KEYThe skill instructions reference `$AWS_SECRET_ACCESS_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $AWS_SECRET_ACCESS_KEY
The skill instructions reference `$AWS_SECRET_ACCESS_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
364- `settings users create` / `settings users delete` are destructive (`delete` needs the whole word `yes` unless **`--yes`**). **Both default to accepted-then-exit**; pass **`--watch`** to block until `Created` / `Deleted` (with `--watch-timeout` / `--watch-interval`, same as [`olares-cli market --watch`](../olares-market/SKILL.md#watch-flag)). **`delete` cannot remove the owner account** (fails before DELETE). `create` always generates the initial password once to stdout; treat transcripts accordingly.
365- `settings users get <username>` returns the same record the SPA shows on the user detail page; treat its email / olaresId as PII and avoid forwarding it outside the requesting workflow.
366- For writes that take secrets (`integration accounts add awss3|tencent` is the verified one in this surface), **always** read the secret from an env var or stdin pipe — never paste it into the chat or expand it inline in an `olares-cli ...` command line you suggest. Bash history retention is the user's responsibility; the agent should default to env-var / pipe style invocations (`--access-key-secret "$AWS_SECRET_ACCESS_KEY"`, `printf '%s\n' "$VAR" | ... --password-stdin`) whenever the verb supports it.← references $AWS_SECRET_ACCESS_KEY — potential credential leak
367- Other secret-bearing verbs (e.g. `backup password set`, `restore plans check-url / create-from-url`) live in [`UNVERIFIED_COMMANDS.md`](cli/cmd/ctl/settings/scripts/UNVERIFIED_COMMANDS.md) until they're smoke-greened; the same env-var / stdin-pipe rule applies whenever you exercise them by hand.
368- Read-only verbs do **not** carry "this will change X" prompts — only mutating verbs do, and the prompts they do carry come from the upstream server's own response messages. Don't fabricate one for read verbs.
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-imh10ue6dwxevg4jvh7u9wst