Security Audit: credential-manager + shell-security-ultimate — credential harvesting meets shell execution #6
Description
AgentWard Security Audit: Credential Harvesting + Shell Execution Chain
Scanned by: AgentWard v0.2.5
Skills analyzed: credential-manager (by callmedas69), shell-security-ultimate (by globalcaos)
Source: callmedas69, globalcaos
Summary
These two skills are independently risky. Installed together — which is plausible, since credential-manager markets itself as "MANDATORY" for all OpenClaw deployments — they create a dangerous chain: one skill scans the filesystem for every credential on the machine, and the other executes shell commands with root access.
| Skill | Severity | Tools |
|---|---|---|
credential-manager |
🔴 3 CRITICAL, 🟢 12 LOW | 15 |
shell-security-ultimate |
🔴 3 CRITICAL | 3 |
Skill Chaining Risk
The chain: credential-manager → shell-security-ultimate
credential-managerscans~/.config/*/credentials.json,~/.openclaw/workspace/memory/*-creds.json, and~/.env— surfacing API keys, OAuth tokens, wallet keys, seed phrases, and private keys across the entire machinecredential-manager:adding_new_credentialshas network access combined with credentials — AgentWard flagged this as an exfiltration vectorshell-security-ultimategives the agent shell execution with root access — even though it classifies commands as SAFE/WARN/CRIT, the classification happens inside the LLM context (prompt-injectable)- An agent with both skills installed could: discover credentials → use shell access to exfiltrate them (
curl,scp,nc)
Why this matters: credential-manager explicitly tells other skills to depend on it ("Other OpenClaw skills MUST validate credentials are secure before using them"). This creates an implicit chaining relationship — many skills will load credential-manager as a prerequisite, giving it access to credentials that then flow through the agent's context.
Individual Findings
credential-manager:
credential-manager:detection_parameters— 🔴 CRITICAL: Financial operations with credential accesscredential-manager:supported_services— 🔴 CRITICAL: Financial operations with credential accesscredential-manager:adding_new_credentials— 🔴 CRITICAL: Network access combined with credentials (exfiltration risk)- AgentWard recommends blocking outbound network for this server
shell-security-ultimate:
shell-security-ultimate:how_it_works— 🔴 CRITICAL: Can execute shell commandsshell-security-ultimate:what_you_get— 🔴 CRITICAL: Accesses credentials/secretsshell-security-ultimate:who_its_for— 🔴 CRITICAL: Can execute shell commands- AgentWard recommends requiring human approval for all 3 tools
Recommendations
For users of these skills:
pip install agentward
agentward initAgentWard can enforce skill chaining rules to prevent this combination:
skill_chaining:
- credential-manager cannot trigger shell-security-ultimate
- shell-security-ultimate cannot trigger credential-manager
skills:
openclaw:callmedas69:
network:
outbound: false
require_approval:
- shell-security-ultimate:how_it_works
- shell-security-ultimate:what_you_get
- shell-security-ultimate:who_its_forFor skill developers:
- credential-manager: Separate credential scanning from network-capable operations. The skill that discovers credentials should never have outbound network access.
- shell-security-ultimate: The command classification (SAFE/WARN/CRIT) runs inside the LLM context and is vulnerable to prompt injection. Consider moving classification to code-level enforcement outside the agent's context window.
Full Reports
credential-manager permission map (15 tools)
| Tool | Capabilities | Risk | Why |
|---|---|---|---|
credential-manager:this_is_not_optional |
read | ✅ LOW | |
credential-manager:the_foundation |
read | ✅ LOW | |
credential-manager:what_this_skill_does |
read | ✅ LOW | |
credential-manager:detection_parameters |
read | 🔴 CRITICAL | Financial operations with credential access |
credential-manager:common_credential_locations |
read | ✅ LOW | |
credential-manager:security_features |
read | ✅ LOW | |
credential-manager:output_structure |
read | ✅ LOW | |
credential-manager:supported_services |
read | 🔴 CRITICAL | Financial operations with credential access |
credential-manager:security_best_practices |
read | ✅ LOW | |
credential-manager:scripts |
read | ✅ LOW | |
credential-manager:migration_workflow |
read | ✅ LOW | |
credential-manager:for_skill_developers_enforce_this_standard |
read | ✅ LOW | |
credential-manager:loading_credentials |
read | ✅ LOW | |
credential-manager:adding_new_credentials |
read | 🔴 CRITICAL | Network + credentials = exfiltration risk |
credential-manager:rollback |
read | ✅ LOW |
shell-security-ultimate permission map (3 tools)
| Tool | Capabilities | Risk | Why |
|---|---|---|---|
shell-security-ultimate:how_it_works |
read,write | 🔴 CRITICAL | Can execute shell commands |
shell-security-ultimate:what_you_get |
read,write | 🔴 CRITICAL | Accesses credentials/secrets |
shell-security-ultimate:who_its_for |
read | 🔴 CRITICAL | Can execute shell commands |
Generated by AgentWard — open-source permission control plane for AI agents.