Is gitchrisqueen/lastpass-cli safe?

https://github.com/openclaw/skills/tree/main/skills/gitchrisqueen/lastpass-cli

70
CAUTION

The lastpass-cli skill contains no malicious code and installs cleanly without unexpected network behavior or canary file access. However, it is architecturally dangerous by design: it grants an LLM agent unrestricted read access to the user's entire LastPass vault with no allowlist, confirmation step, or output redaction, making every stored credential accessible to any instruction that reaches the agent — including prompt injections from web content, documents, or malicious user input. Combined with any network-capable skill, this creates a one-step credential exfiltration chain.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 38/100 · 5%

Findings (7)

CRITICAL Full vault credential access by agent design -65

The skill's core function is to pipe LastPass vault credentials directly into the LLM agent's response context. Any credential the user has stored — banking passwords, API keys, SSH passphrases — becomes accessible to the agent on request. There is no allowlist, no confirmation step, and no scope restriction. This makes the agent a live credential retrieval endpoint for any instruction source that reaches it.

HIGH Raw field option exposes all credential metadata -15

The 'raw' field value passes no filtering flags to lpass, dumping the complete entry including URL, username, password, notes, and any custom fields. A single call with field='raw' exposes maximum credential surface.

HIGH Dangerous composition with network/communication skills -40

This skill alone is a credential retrieval primitive. Combined with any skill granting network access (HTTP requests, email, Slack), the composition creates a complete credential exfiltration chain triggerable by a single prompt injection. No agent-level safeguard separates 'retrieve credential' from 'send credential externally'.

MEDIUM Repository provenance mismatch in metadata -15

_meta.json references a commit URL on github.com/clawdbot/skills while the skill was installed by cloning github.com/openclaw/skills. This discrepancy may indicate the skill was copied between repos without updating metadata, or could indicate an attempt to associate legitimacy from one repo with content served from another.

MEDIUM Stale or misplaced lock.json references different skill -10

.clawhub/lock.json lists 'academic-research-hub' as an installed skill at version 0.1.0. This file should represent the dependencies of lastpass-cli, not an unrelated skill. This suggests the lock file was included from a different environment or template without cleanup.

LOW No instruction boundary between vault access and agent output -12

The skill provides no mechanism to prevent the retrieved credential from being included verbatim in the agent's conversational output or tool-call results. A user who asks the agent to summarize its recent actions, or a logging system capturing agent outputs, will see plaintext credentials.

INFO Shell script is well-formed with proper quoting 0

The bash script uses set -euo pipefail, quotes all variable expansions, and validates the command and field parameters before use. No shell injection vector was identified in the script itself.