Dark Web Credential Checker
MaliciousAudited by ClawScan on May 10, 2026.
Overview
This paid breach-checker is advertised as querying real breach and dark-web sources, but the included code generates simulated breach results instead.
Do not rely on or pay for this skill as a real breach checker based on the provided artifacts. If you test it at all, use dummy emails, avoid the Discord command path for private identifiers, and prefer established breach-checking services with clear API behavior and privacy terms.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may receive fabricated breach or clean results, make poor security decisions, or pay for a tool that does not perform the advertised checks.
The code explicitly uses simulated, deterministic breach results, while SKILL.md advertises real searches of public breach databases, paste sites, HIBP, DeHashed, and LeakCheck.
# Breach data (simulated public breach database) # In production, this would query HIBP API, DeHashed, etc. ... email_hash = hashlib.md5(email.lower().encode()).hexdigest() num_breaches = email_num % 5
Do not rely on this skill for real breach checking unless it is clearly labeled as a demo or updated to use documented, verifiable breach-data APIs.
The skill can produce invalid password-breach conclusions and may send a derived hash prefix of the searched email to an external service.
The optional HIBP-style path hashes an email address and queries the Pwned Passwords range API, which is meant for password hashes, not email breach lookups.
sha1 = hashlib.sha1(email.lower().encode()).hexdigest().upper()
url = f"https://api.pwnedpasswords.com/range/{prefix}"Use the correct HIBP breached-account API or clearly document any k-anonymity/password-check workflow and what data leaves the machine.
A user's email address, username, and breach-check intent could be exposed to a third-party platform or other channel participants.
The instructions encourage submitting sensitive email lookup targets in a Discord support channel without explaining who can see, store, or process those queries.
As OpenClaw Discord Command In `#edgeiq-support` channel: ``` !breach user@example.com !breach user@example.com --pro ```
Avoid posting real emails or usernames in public/shared Discord channels; the publisher should provide private input paths and a clear privacy statement.
Local license identifiers may be used by the tool, although no outbound transmission is shown in the provided code.
The code reads a local license file and license/email environment variables, while the registry metadata declares no required env vars or primary credential.
LICENSE_FILE = Path.home() / ".edgeiq" / "license.key"
env_key = os.environ.get("EDGEIQ_LICENSE_KEY", "").strip()
email = os.environ.get("EDGEIQ_EMAIL", "").strip().lower()Document all license files and environment variables in metadata and in the skill instructions.
Users could install code that differs from the reviewed artifact if the external repository changes.
The README points users to an unpinned external repository, while the registry source is unknown and there is no install spec.
git clone https://github.com/snipercat69/edgeiq-credential-checker.git cd edgeiq-credential-checker
Install only reviewed package contents or a pinned commit from a trusted source.