Is gnarco/dashlane safe?

https://github.com/openclaw/skills/tree/main/skills/gnarco/dashlane

87
SAFE

The gnarco/dashlane skill is clean, well-structured Markdown documentation for the legitimate Dashlane CLI tool with no malicious code, prompt injection directives, hidden instructions, or data exfiltration activity during installation. However, the skill's inherent purpose — granting an LLM agent comprehensive, scriptable access to a user's entire password vault — creates a very high-value target for prompt injection attacks; a single compromised instruction could trigger dcli backup or dcli exec to silently exfiltrate all credentials in one step. The skill should only be installed by users who understand this risk and operate in environments with strong prompt injection mitigations.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (7)

HIGH Full vault export commands create single-step credential exfiltration path -28

The skill documents dcli backup (full vault export to disk) and dcli p -o json (all matching credentials as JSON). Any prompt injection vector that can reach an agent with this skill active could instruct a complete credential dump in a single command. The Dashlane master password also unlocks all vault access without additional confirmation if saved to keychain.

HIGH Vault-backed SSH key loading enables persistent unauthorized access -12

The documented pattern 'dcli n SSH_KEY | ssh-add -' pipes a private SSH key from the Dashlane vault directly into the running SSH authentication agent. A manipulated agent could silently perform this operation, adding keys to the SSH agent and enabling persistent shell access to any system trusting that key, with no file written to disk.

MEDIUM Master password plaintext environment variable pattern documented and normalized -10

The skill explicitly documents and promotes storing the Dashlane master password as a plaintext environment variable (DASHLANE_MASTER_PASSWORD) for CI/Docker use cases. This normalizes a dangerous pattern and means an agent could be instructed to echo or transmit this variable to obtain the master password unlocking the entire vault.

MEDIUM dcli exec injects entire vault secret set into arbitrary process environment -8

The 'dcli exec -- mycommand' feature injects all Dashlane secrets as environment variables into the target process. An agent instructed to run any network-capable command via dcli exec would expose the complete vault secret set to that command without the user realizing the scope of exposure.

LOW User presence verification can be silently disabled -5

The skill documents 'dcli configure user-presence --method none' which disables biometric or physical presence checks before vault access. An agent operating autonomously could disable this control before performing bulk vault operations, removing a layer of friction that would otherwise alert the user.

LOW Stale lock.json references unrelated skill dependency -3

The .clawhub/lock.json file shipped with this skill lists 'academic-research-hub' as an installed dependency. This skill has no relationship to Dashlane and appears to be a copy-paste artifact from another skill's lock file. While not a security risk, it indicates the skill was not carefully reviewed before publication.

INFO Canary file accesses originate from audit monitoring system, not the skill 0

Auditd PATH records show all six canary files accessed in identical batches at timestamps 1771913596.407 (pre-install baseline) and 1771913614.216 (post-install final check). The sub-millisecond batch pattern and confirmation from the integrity report confirm these are Oathe audit system reads, not reads by the skill or its installation process.