credential-manager

openclaw-credential-manager · v · by

66.1

Trust Score

Trust Tier

danger

Badge

Score Breakdown

Factor	Score	Weight
Static	0.0	15%
Permission	100.0	15%
Poison	100.0	15%
Clickfix	100.0	15%
Credential	5.0	15%
Twostage	100.0	10%
Infrastructure	100.0	5%
Typosquat	100.0	5%
Age	10.6	3%
Popularity	0.0	2%

Scan Results

STATIC — Score: 0

[INFO] Environment variable exfiltration to remote server (line 725)
os.environ[key] = val

[HIGH] Prompt injection or system override attempt (line 708)
**This creates a fail-fast system:** If credentials aren't properly secured, skills refuse to run. Users are forced to f

[MEDIUM] References to cryptocurrency seed/recovery phrases (line 47)
6. **Encrypts** high-value secrets with GPG (wallet keys, private keys, mnemonics)

[MEDIUM] References to cryptocurrency seed/recovery phrases (line 73)
- Mnemonics and seed phrases

[MEDIUM] References to cryptocurrency seed/recovery phrases (line 88)
- Mnemonic detection (flags 12/24 word values)

[MEDIUM] References to cryptocurrency seed/recovery phrases (line 178)
Private keys, wallet keys, and mnemonics should **never** exist as plaintext on disk. Use GPG encryption for these.

[MEDIUM] References to cryptocurrency seed/recovery phrases (line 222)
| Mnemonics / seed phrases | ✅ Yes | Master recovery |

[MEDIUM] References to cryptocurrency seed/recovery phrases (line 480)
- Detects mnemonic/seed phrases (12/24 word values) → recommends GPG

[MEDIUM] References to cryptocurrency seed/recovery phrases (line 535)
- **Critical** (90-day rotation): `*PRIVATE_KEY`, `*MNEMONIC`, `*SEED`, `*WALLET_KEY`, `*CUSTODY*`, `*SIGNER*`

PERMISSION — Score: 100

No findings.

POISON — Score: 100

No findings.

CLICKFIX — Score: 100

No findings.

INFRASTRUCTURE — Score: 100

No findings.

TWOSTAGE — Score: 100

No findings.

CREDENTIAL — Score: 5

[CRITICAL] OpenClaw config file theft — the #1 ClawHavoc target (line 447)
cat >> ~/.openclaw/.env << 'EOF'

TYPOSQUAT — Score: 100

No findings.

← Back to list