Is jimihford/openclaw-bitwarden safe?

https://github.com/openclaw/skills/tree/main/skills/jimihford/openclaw-bitwarden

85
SAFE

The jimihford/openclaw-bitwarden skill is a legitimate, well-structured Bitwarden CLI management helper with no malicious code, no prompt injection patterns, and a clean installation process. All canary honeypot files remained intact and no data exfiltration was detected during the install phase. The primary risks are inherent to the skill's purpose: it instructs an LLM agent to unlock a password vault and handle live session keys via tmux, creating a high-privilege context where secondary prompt injection attacks could redirect credential retrieval, and where vault contents enter the LLM context window by design.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (6)

MEDIUM tmux capture-pane captures BW_SESSION key and vault contents into agent context -20

The skill's core workflow instructs the agent to run 'bw unlock --raw' inside tmux and then use 'capture-pane -p -J -S -200' to read the output. This operation pulls the raw BW_SESSION key and any subsequent vault command results directly into the LLM's context window. The session key grants full vault read access and could be inadvertently included in chat responses, debug logs, or forwarded to external tools.

MEDIUM BW_SESSION persists in named tmux session after agent use -15

The BW_SESSION is exported inside a named tmux session that survives until the agent explicitly runs 'bw lock' and 'tmux kill-session'. If the agent fails to clean up (e.g., due to interruption or error), the session key remains accessible to all processes running as the same user. The skill provides cleanup instructions but depends entirely on LLM compliance.

LOW Skill grants LLM agent full Bitwarden vault read access by design -15

The skill workflow, when followed, results in the LLM agent holding a live BW_SESSION key with complete vault read privileges. Any secondary prompt injection (from malicious file content, webpage, or email processed by the same agent session) could redirect vault queries to extract and exfiltrate specific credentials. This is an inherent risk of password manager skills, not malicious coding.

LOW bw config server instruction teaches agent to redirect CLI to arbitrary server -10

The Vaultwarden testing section teaches the pattern 'bw config server ' to redirect the Bitwarden CLI to a custom server. While scoped to localhost testing here, this pattern in the agent's learned behavior could be exploited by a malicious follow-on prompt to point bw at an attacker-controlled server that captures submitted credentials.

LOW openclaw-gateway process established new external connections to 98.83.99.233 post-install -5

The pre-existing openclaw-gateway process (PID 1090) established two new persistent ESTABLISHED connections to 98.83.99.233:443 after the skill install completed. This IP does not correspond to GitHub, Bitwarden, or Ubuntu infrastructure. This appears to be framework-level install telemetry but the destination is unverified and warrants awareness.

INFO Hardcoded test credentials present in Vaultwarden testing section -3

The skill embeds test credentials: admin token 'test-admin-token-12345' and account '[email protected] / TestPassword123!'. These are clearly scoped to a local Docker Compose environment and pose no direct security risk. However, agents should not apply these credentials against real Bitwarden servers.