Htpasswd
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its htpasswd purpose, but its script can treat usernames as regular expressions, so unusual usernames could accidentally update or delete the wrong auth entries.
Review the target file path and username before allowing create, add, or delete operations. Avoid usernames with regex-like characters until the script is fixed, keep backups of important htpasswd files, ensure openssl is installed, and avoid placing real long-lived passwords in chat or command history unless necessary.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or unusual username could cause the agent to replace or remove multiple htpasswd entries, potentially locking users out or corrupting the password file.
The username is interpolated directly into regular-expression based grep and sed operations. The visible validation rejects ':' and whitespace but does not reject or escape regex metacharacters such as '.*', so update/delete/verify operations can match unintended users.
grep -q "^${user}:" "$file" ... sed "s|^${user}:.*|${user}:${hash}|" "$file" > "$tmp" ... grep -v "^${user}:" "$file" > "$tmp"Escape usernames before using them in grep/sed patterns, use fixed-string matching where possible, restrict usernames to a safer character set, and back up the htpasswd file before update or delete operations.
Using this skill can change who has access to a protected site or service, and passwords may be present in the agent conversation or command arguments.
The skill intentionally manages authentication credentials and account entries for basic auth. This is purpose-aligned, but it is still sensitive authority.
`htpasswd create <file> <user> <password>` ... `htpasswd add <file> <user> <password>` ... `htpasswd delete <file> <user>`
Only use it on intended htpasswd files, review the exact file path and username before changes, and avoid sharing real long-lived passwords in prompts when possible.
The skill may not work unless openssl is installed, and behavior depends on the local openssl implementation.
The registry requirements say no binaries are required, while the documentation and script require openssl. This can cause runtime failure or reliance on whatever openssl binary is present on the system.
- `openssl` — for password hashing and verification
Ensure openssl is installed from a trusted source; the package metadata should declare openssl as a required binary.