ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

License

Manage software license keys with generation, rotation, and audit tracking. Use when generating keys, auditing licenses, rotating expired credentials.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 29 · 1 current installs · 1 all-time installs
bybytesagain4@xueyetianya
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (license management with secure storage, rotation, audit) matches the included script's functionality (generate, audit, rotate, export, etc.). However the SKILL.md promises 'store a license securely in the vault' and 'Every action is timestamped and logged for full auditability' while the script stores all inputs and keys as plaintext lines in per-command .log files and export files under ~/.local/share/license. There is no encryption, access control, or secret protection implemented — a meaningful mismatch between claimed 'secure' storage and actual behavior.
!
Instruction Scope
SKILL.md stays within the scope of a local CLI tool and instructs where data is stored and how to change DATA_DIR. The runtime script only reads/writes files under the DATA_DIR, uses standard Unix tools, and does not perform network access. The concern: the instructions encourage storing license keys and other sensitive inputs, but the script logs them verbatim (timestamp|value), and export functions generate files containing those same plaintext values. There is no guidance about file permissions, encryption, or avoiding storing production secrets.
Install Mechanism
No install spec and no network downloads; the skill is instruction-only with an included Bash script. Nothing is written to arbitrary system locations beyond the declared DATA_DIR in the user's home. This is low-risk from an installation/third-party-code perspective.
Credentials
The skill declares no required environment variables and uses only HOME to build the data path, which is proportionate. However, despite requesting no credentials, the script will accept and persist any user-provided input (including sensitive keys and credentials) in plaintext logs and exports — effectively collecting secrets locally without protection. That behavior is not proportional to a promise of 'secure' storage.
Persistence & Privilege
Flags show always:false and normal model invocation. The skill does not request elevated privileges, does not modify other skills or system-wide settings, and only creates files under ~/.local/share/license. No persistent platform-level privileges are requested.
What to consider before installing
This tool is functionally what it says (a local CLI that logs license operations), but it stores everything you enter in plaintext under ~/.local/share/license and writes export files there. Before installing or using it: 1) Inspect script.sh to confirm behavior (you already have it). 2) Do not enter real production secrets or private keys into this tool until you modify it to protect them. 3) If you plan to use it, change DATA_DIR to a directory with strict permissions and set chmod 700 on that directory and its files. 4) Consider adding encryption (GPG) or hashing for stored values, or modify the script to store only non-sensitive identifiers and hashed digests instead of raw keys. 5) Be aware export commands will produce files containing the same plaintext values (json/csv/txt). If you need this functionality for sensitive licenses, require or implement encryption-at-rest and access controls first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.0
Download zip
latestvk9771xzs903eaqj1a88z48a08d8355e8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

License

A command-line security toolkit for managing software licenses. Generate, check strength, rotate, audit, store, retrieve, expire, set policies, report, hash, verify, and revoke license keys — all from your terminal with persistent logging and full activity history.

Why License?

  • Works entirely offline — your license data never leaves your machine
  • No external dependencies or accounts needed
  • Every action is timestamped and logged for full auditability
  • Export your history to JSON, CSV, or plain text anytime
  • Simple CLI interface with consistent command patterns

Commands

CommandDescription
license generate <input>Generate a new license key or credential
license check-strength <input>Check the strength of a license key or password
license rotate <input>Rotate an existing license key to a new one
license audit <input>Audit license entries for compliance or issues
license store <input>Store a license key securely in the vault
license retrieve <input>Retrieve a stored license key by identifier
license expire <input>Mark a license key as expired
license policy <input>View or set license policies and rules
license report <input>Generate a report on license activity or status
license hash <input>Hash a license key for secure comparison
license verify <input>Verify a license key's validity or signature
license revoke <input>Revoke an active license key
license statsShow summary statistics across all actions
license export <fmt>Export all logs (formats: json, csv, txt)
license search <term>Search across all log entries
license recentShow the 20 most recent activity entries
license statusHealth check — version, disk usage, entry count
license helpShow help with all available commands
license versionPrint current version (v2.0.0)

Each data command (generate, check-strength, rotate, etc.) works in two modes:

  • With arguments — logs the input with a timestamp and saves to its dedicated log file
  • Without arguments — displays the 20 most recent entries from that command's log

Getting Started

# See all available commands
license help

# Check current system status
license status

# View statistics across all commands
license stats

Data Storage

All data is stored locally in ~/.local/share/license/. The directory structure:

  • generate.log, check-strength.log, rotate.log, audit.log, etc. — per-command log files
  • history.log — unified activity log across all commands
  • export.json, export.csv, export.txt — generated export files

Modify the DATA_DIR variable in script.sh to change the storage path.

Requirements

  • Bash 4.0+ (uses set -euo pipefail)
  • Standard Unix tools: date, wc, du, tail, grep, sed, cat
  • Works on Linux and macOS
  • No external packages or network access required

When to Use

  1. Generating new license keys — use license generate to create secure, unique license keys for software distribution or internal tools
  2. Rotating expired credentials — run license rotate to replace old keys with fresh ones, then license expire to mark the originals as invalid
  3. Auditing license compliance — use license audit and license report to review all active licenses and identify keys that need attention
  4. Verifying key authenticity — run license verify and license hash to confirm a key hasn't been tampered with or forged
  5. Tracking license lifecycle — use license stats, license recent, and license export to maintain a full audit trail from generation through revocation

Examples

# Generate a new license key
license generate "enterprise-plan-client-42"

# Check the strength of a key
license check-strength "ABCD-1234-EFGH-5678"

# Store a license securely
license store "client-42 ABCD-1234-EFGH-5678"

# Retrieve a stored license
license retrieve "client-42"

# Rotate an existing key
license rotate "client-42"

# Audit all licenses for compliance
license audit "full-scan"

# Verify a key's validity
license verify "ABCD-1234-EFGH-5678"

# Revoke a compromised key
license revoke "ABCD-1234-EFGH-5678"

# View summary statistics
license stats

# Export all history as CSV
license export csv

# Search for entries related to a client
license search "client-42"

Output

All commands output structured text to stdout. You can redirect output to a file:

license report annual-review > review.txt
license export json

Configuration

The data directory defaults to ~/.local/share/license/. Modify the DATA_DIR variable at the top of script.sh to customize the storage path.

Powered by BytesAgain | bytesagain.com | hello@bytesagain.com

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…