Password Policy Auditor
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent password-policy audit guide, but users should run its local searches only on intended repositories and treat any authentication findings as sensitive.
This skill appears safe to use for an authorized password-policy review. Before installing or invoking it, verify it will not receive purchase authority, run it only against repositories you are allowed to audit, and redact any secrets or sensitive authentication details from reports.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Audit output may expose authentication implementation details from the local project.
The skill instructs the agent/user to run local shell searches across the current codebase for password-hashing implementation details. This is expected for an audit, but it can read and display sensitive repository content.
rg "bcrypt|argon2|scrypt|pbkdf2|sha256|sha512|md5|hashlib" \ --type-not binary -g '!node_modules' -g '!vendor'
Run the commands only in the intended project directory, review results before sharing, and add exclusions for secret files or unrelated private folders.
Sensitive password-related snippets could appear in the chat transcript or audit report.
This search is meant to detect plaintext password storage, but matching lines could include real secrets, sample credentials, or sensitive authentication code that may enter the agent context or generated report.
rg -i "password.*=.*['\"]|password.*store|INSERT.*password"
Redact secrets from outputs and avoid sharing raw findings outside the authorized security-review context.
A password-derived hash prefix is sent to a third-party service during breach checking.
The breached-password check contacts the external HaveIBeenPwned API with a SHA-1 hash prefix. The artifact describes this as k-anonymity and purpose-aligned, but it is still an external data flow.
resp = requests.get(f'https://api.pwnedpasswords.com/range/{prefix}')Use the API only with authorization and where organizational policy allows external breach-check services; do not send plaintext passwords.