AceToolz Password Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent and purpose-aligned, but it generates passwords through a third-party API, so users should only use it if they trust AceToolz with the generated secret.
This skill appears safe to install if you are comfortable using AceToolz as a remote password generator. For especially sensitive credentials, prefer a local password manager or generator so the password is created only on your device.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run curl or PowerShell locally to contact AceToolz when asked to generate a password.
The skill instructs the agent to use shell-based commands to make an outbound API request. This is expected for the documented API workflow and is scoped to a single endpoint, but users should notice that command execution is involved.
Use `exec` to call the AceToolz API. Detect the OS and run the appropriate command:
Use the skill only for its stated endpoint and parameters; do not allow unrelated shell commands to be added to the workflow.
AceToolz could technically see the generated password before it is shown to the user.
Passwords are generated by a remote provider API. Even though the request only sends generation options, the provider generates and returns the resulting password, so the generated secret crosses a third-party data boundary.
curl -s -X POST https://www.acetoolz.com/api/openclaw/password-generator
Only use this for accounts where you are comfortable trusting the provider; for highly sensitive accounts, consider a local password manager or local generator.
Users may rely on the no-storage claim when deciding whether to use the generated password.
The artifact makes a privacy/security assurance about provider storage. There is no artifact evidence that contradicts it, but the user must trust the provider because the generation happens remotely.
No passwords are stored — generated and returned in real-time.
Review AceToolz’s privacy/security information if this matters for your use case, and avoid reusing generated passwords across services.