gopass
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is purpose-aligned with gopass, but it gives the agent broad, under-bounded access to reveal, search, change, delete, sync, and share password-store secrets.
Install this only if you want the agent to help operate your gopass password store. Use it narrowly: name the exact entry, avoid broad searches, do not use auto-confirm for destructive actions, and require explicit approval before showing passwords, deleting entries, syncing, or changing recipients.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used too broadly, the agent could expose passwords or alter who has access to team secrets.
The skill explicitly enables retrieving passwords and changing team recipients for the password store, which is high-impact credential and access-control authority.
gopass show path/to/secret # full entry (password + metadata) gopass show -o path/to/secret # password only ... gopass recipients add <gpg-id> gopass recipients remove <gpg-id>
Only allow use for specific user-requested entries and require explicit approval before revealing secrets, changing recipients, or modifying store access.
A mistaken or overbroad invocation could delete many secrets or bypass safety prompts.
The documented workflow includes recursive deletion and an auto-confirm option, but the skill does not pair these with mandatory user confirmation or scoping safeguards.
gopass rm -r path/to/folder # recursive ... Use `gopass --yes` to auto-confirm prompts
Avoid automatic use of recursive deletion or `--yes`; require the user to specify the exact path and confirm destructive actions.
Passwords, TOTP-related data, and metadata could be exposed in chat history, model context, or downstream tools.
The skill encourages returning secret values and searching secret contents in machine-readable form, which can place sensitive credentials into the agent context or logs without stated minimization rules.
gopass show -o path/to/secret # password only ... gopass grep "username" # search entry contents ... Use `gopass show -o path` for machine-readable password-only output
Prefer clipboard-only or user-approved display, avoid broad content searches, and do not retain or repeat secret values unless the user explicitly asks.
Security depends on the locally installed gopass/GPG setup and its configuration, not on code reviewed with this skill.
The skill relies on local gopass and GPG tooling that is outside the reviewed artifact, while the provided install metadata declares no required binaries or install spec.
- `gopass` binary installed - GPG key available (gopass uses GPG for encryption) - Store initialized (`gopass init` or `gopass setup`)
Verify that gopass and GPG are installed from trusted sources and that the intended store is initialized before using the skill.