credential-scanner
github.com/useai-pro/openclaw-skills-security
Scanned Thu, 28 May 2026 17:39:57 GMT
Scan ID crawl-jsmbm0xb6ks29vwzz1tind2f · 2ms
C
SCORE 55 / 100
Verdict: Proceed with caution
3 high-severity findings.
This skill reads protected filesystem locations plus 3 other issues listed below.
0 critical3 high1 medium8 rules passed
Why grade C?
score · 55 / 100The current grade reflects 3 high-severity findings (3+ HIGHs → C).
0 CRIT3 HIGH1 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 1 of 3 HIGH (cap is 2).
- AReach Atarget score 95
Resolve all 3 HIGH.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
highSensitive filesystem path referencedThe skill references a path (`~\/\.aws\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.aws\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
42**Home directory files (scan only with explicit user consent):**
43
44- `~/.aws/credentials`, `~/.aws/config`← sensitive path — credential-exfiltration vector
45- `~/.ssh/id_rsa`, `~/.ssh/id_ed25519`, `~/.ssh/config`
46- `~/.netrc`, `~/.npmrc`, `~/.pypirc`
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
43
44- `~/.aws/credentials`, `~/.aws/config`
45- `~/.ssh/id_rsa`, `~/.ssh/id_ed25519`, `~/.ssh/config`← sensitive path — credential-exfiltration vector
46- `~/.netrc`, `~/.npmrc`, `~/.pypirc`
47
highSensitive filesystem path referencedThe skill references a path (`~\/\.npmrc`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.npmrc`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
44- `~/.aws/credentials`, `~/.aws/config`
45- `~/.ssh/id_rsa`, `~/.ssh/id_ed25519`, `~/.ssh/config`
46- `~/.netrc`, `~/.npmrc`, `~/.pypirc`← sensitive path — credential-exfiltration vector
47
48### Patterns to Detect
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-jsmbm0xb6ks29vwzz1tind2f