ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AceToolz Password Generator

v1.0.2

Generate secure passwords via the AceToolz API. No passwords are stored — generated and returned in real-time.

0· 44·0 current·0 all-time
by@acetoolz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim (generate passwords via AceToolz API) matches the runtime instructions: the SKILL.md explicitly sends POST requests to https://www.acetoolz.com/api/openclaw/password-generator. No unrelated binaries, env vars, or install steps are requested.
!
Instruction Scope
The instructions tell the agent to call the external AceToolz API and return the generated password to the user. That is within the stated purpose, but it means secret data (the generated password) is transmitted to a remote service. The SKILL.md asserts 'No passwords are stored' but provides no verification or guidance for auditing storage/retention policy on the AceToolz side. The skill also requires outbound network permission (declared) and uses exec/curl/Invoke-RestMethod to perform calls.
Install Mechanism
Instruction-only skill with no install spec and no code files — no new software is written to disk. This is the lowest install risk.
Credentials
The skill requests no environment variables, credentials, or config paths. No broad secrets are requested, which is proportionate to a simple API-calling password generator.
Persistence & Privilege
always:false (default) and no indications the skill writes persistent agent-global configuration or modifies other skills. Autonomous invocation is allowed (platform default) but not an added privilege here.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found nothing because this is an instruction-only skill with no code files to analyze; that absence is expected but provides no assurance about the remote API's behavior.
What to consider before installing
This skill is coherent with its description but remember it sends generated passwords to a third party (https://www.acetoolz.com). If you need passwords that never leave your device, prefer a local generator. If you decide to use this skill: (1) treat generated passwords as sensitive — avoid sending them to other services, (2) verify the endpoint uses HTTPS and consider testing with non‑sensitive passwords first, (3) review AceToolz's privacy/storage policy before trusting real secrets, and (4) if you want stronger assurance, request or implement a purely local generation skill that uses a cryptographic RNG instead of an external API.

Like a lobster shell, security has layers — review code before you run it.

acetoolzvk97es726fs3sggmd0g98h2afm5847302latestvk97es726fs3sggmd0g98h2afm5847302password-generatorvk97es726fs3sggmd0g98h2afm5847302passwordsvk97es726fs3sggmd0g98h2afm5847302productivityvk97es726fs3sggmd0g98h2afm5847302randomvk97es726fs3sggmd0g98h2afm5847302securityvk97es726fs3sggmd0g98h2afm5847302

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis

Comments