ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pass - stores, retrieves, generates, and synchronizes passwords securely

v1.0.0

Complete guide for using pass, the standard Unix password manager. Use this skill whenever the user asks about pass, password-store, managing passwords from...

0· 387·1 current·1 all-time
byTiago Bastos@bastos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md content: the document is a practical guide to installing, configuring, and using pass (including GPG and git workflows). All required actions (GPG key generation/import, initializing the store, git sync, pass-otp, pass-import) are expected for this purpose.
Instruction Scope
The instructions stay within the scope of managing a pass password store, but they include highly sensitive, high-impact operations (e.g., importing a private GPG key, initializing/pushing a git remote, running pass grep which decrypts entries). These are appropriate for a pass guide but are operations that will affect and potentially expose secrets if executed without care.
Install Mechanism
No install specification or remote downloads are present — the skill is instruction-only and only recommends installing packages via standard OS package managers or brew/pip, which is proportionate for this guide.
Credentials
The skill requests no environment variables, credentials, or config paths. It references typical user artifacts (e.g., ~/.password-store, private-key.asc, git remotes, SSH keys) that are expected for using pass; it does not demand access to unrelated services or secrets.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always is false). It's an on-demand guide and does not modify other skills or system-wide agent settings.
Assessment
This skill is essentially documentation and appears consistent with its purpose. Before running any of the commands shown: (1) review them line-by-line and understand their effects (especially git push, gpg --import, pass rm, and pass grep which decrypts data); (2) back up your store and private keys before making changes; (3) never paste your GPG private key or decrypted passwords into untrusted places; (4) ensure any remote repo you push to is private and you intend to host secrets there; and (5) if an automated agent attempts to execute these commands on your behalf, do not grant it access to your GPG private key or to the filesystem holding ~/.password-store unless you explicitly trust the agent and environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97617tgm0kfqgzpj3x1tdzqtx821kf0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments