Skillv1.1.1

ClawScan security

Passwordstore Broker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 18, 2026, 10:31 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are internally consistent with its stated purpose of collecting secrets via one-time local/LAN HTTPS forms and storing them in pass for ephemeral injection into commands.
Guidance: This skill appears coherent and implements a local/LAN one-time intake flow that stores secrets into your pass store and injects them into commands without putting secret values in chat. Before installing, verify you are comfortable with: (1) installing and using pass/gpg on the host; (2) the fact that the skill runs a temporary local HTTPS server (ensure you run it on trusted networks and do not expose the intake URL in public channels); (3) storing the TOTP enrollment secret in ~/.passwordstore-broker/totp.secret and treating that file as sensitive (the project warns not to transmit it); and (4) any commands executed via run_with_secret.sh will run with the secret available to that process (so ensure those commands are trusted). If you need higher assurance, review the full get_password_from_user.py contents (it runs the local HTTPS server, LAN autodetection, and TOTP checks) and test in an isolated environment first.

Review Dimensions

Purpose & Capability: okName/description claim collecting secrets and storing in pass; included scripts implement TOTP enrollment, a local HTTPS intake form, pass-backed vault operations, and an env-injection wrapper. Declared binary dependencies (pass, gpg, openssl, python3, qrencode) match the implementation.
Instruction Scope: okSKILL.md explicitly restricts behavior to local/LAN intake, TOTP validation, storing/retrieving secrets via scripts/vault.sh, and executing commands via run_with_secret.sh. The runtime instructions do not request unrelated files, external endpoints, or unrelated credentials. They do require the agent to present the generated local/LAN URL to the user (expected for the one-time intake flow).
Install Mechanism: okNo install spec; this is an instruction-first skill with bundled scripts. Nothing is downloaded from external URLs and no archives are extracted. Risk from install-time network downloads is therefore minimal.
Credentials: okThe skill requests no environment variables or external credentials. It relies on locally-installed tools (pass/gpg) rather than asking for tokens. The number and type of required tools are proportionate to the stated functionality.
Persistence & Privilege: okalways is false and the skill does not request elevated or system-wide privileges. It writes only into its own directory under the user's home (e.g., ~/.passwordstore-broker) and uses the user's pass store; it does not modify other skills or global agent configuration.