ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SnapPwd Secure Secret Sharing

Securely share secrets, API keys, files, and credentials with OpenClaw agents and team members via self-destructing links. Use when the user needs to share s...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 96 · 0 current installs · 0 all-time installs
by@fantaclaw-ai
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (secure, ephemeral secret sharing) match the provided materials: SKILL.md, CLI usage, security model, and the shell helper all point to using snappwd.io or @snappwd/cli. There are no unrelated environment variables, binaries, or install actions requested that would be incoherent with the stated purpose.
Instruction Scope
Instructions stay within the domain of creating and sharing ephemeral encrypted links. The docs and examples explicitly show sharing highly sensitive items (e.g., .env, SSH private keys) and instruct users to run CLI commands (snappwd put-file) that will read local files — that is expected for this tool but is high-risk behavior for users. The skill itself does not instruct the agent to read arbitrary system files or access other skills' configs.
Install Mechanism
This is an instruction-only skill with an included helper script; there is no install spec that downloads arbitrary code. The documented install method for the CLI is npm install -g @snappwd/cli (a standard public registry flow). That is proportionate for providing a CLI; users should however vet the npm package and its source before global installation.
Credentials
No required environment variables or primary credentials are declared. The references mention an optional SNAPPWD_API_URL for self-hosting, which is reasonable. No unrelated secrets or system config paths are requested by the skill itself. Example usage shows putting local files (e.g., ~/.ssh/id_rsa) — this is consistent with the service's purpose but increases user risk.
Persistence & Privilege
always is false and model invocation is normal. The skill does not request persistent elevated privileges, nor does it modify other skills or system-wide agent settings. The included script only invokes the snappwd CLI and prints the link.
Assessment
This skill appears to do what it says (create one-time encrypted links) and does not request unrelated credentials. Before using it: 1) Be cautious about what you share — avoid sharing long-term private keys or production secrets when possible; prefer generating temporary credentials or sharing only the minimal secret required. 2) If you must share private keys, rotate/revoke them immediately after use. 3) Verify the CLI package/source (github repo) before running npm install -g; installing global npm packages can be risky if the package is untrusted. 4) Confirm you are on the correct domain (https://snappwd.io) to avoid phishing, or consider self-hosting and pointing SNAPPWD_API_URL to your instance for sensitive uses. 5) Remember the URL fragment (the key after #) only lives in the client — do not paste the full URL into insecure logs; share the link only with verified recipients. If you want greater assurance about the implementation, ask the publisher for the CLI/service source repo and audit the npm package and server code before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97aabsn6c9mm51cghqcgyrkex8360xk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SnapPwd Secure Secret Sharing

Share secrets and files securely via self-destructing, end-to-end encrypted links.

When to Use This Skill

  • User wants to share a password, API key, or credential in chat
  • User needs to share a sensitive file (.env, config, private key, certificate)
  • User mentions they need to send sensitive data to someone
  • User is troubleshooting and needs to share configuration details with secrets
  • User asks about secure ways to share credentials or files

Quick Start

Option 1: Web Interface (Recommended)

Direct user to create a secure link at https://snappwd.io:

For text secrets:

  1. Go to https://snappwd.io
  2. Paste the secret
  3. Click "Create Secure Link"
  4. Share the generated link

For files:

  1. Go to https://snappwd.io
  2. Click the file upload area or drag & drop
  3. Select the file (e.g., .env, .pem, config file)
  4. Click "Create Secure Link"
  5. Share the generated link

The link self-destructs after one download. The file is encrypted client-side and the server never sees the contents.

Option 2: CLI (For Terminal Users)

If the user has @snappwd/cli installed:

# Install if needed
npm install -g @snappwd/cli

# Share a text secret
snappwd put "your-secret-here"

# Share a file (e.g., .env, config, private key)
snappwd put-file ./database.env
snappwd put-file ~/.ssh/id_rsa

# Output: https://snappwd.io/g/abc123...#encryption-key...

What Can Be Shared

TypeExamplesUse Case
Text SecretsAPI keys, passwords, tokensQuick credential sharing
Config Files.env, config.json, settings.yamlShare environment configs securely
Private KeysSSH keys, TLS certificates, PGP keysTemporary key distribution
Credentials Filescredentials.json, .netrcService account access

Security Model

Key points to explain to users:

  1. Zero-Knowledge Encryption: Secrets are encrypted in the browser/CLI before upload. The server never sees the plaintext or encryption key.

  2. Self-Destructing: Links work exactly once. After viewing, the secret is permanently deleted from the server.

  3. Key in URL Fragment: The encryption key is embedded in the URL after #, which means it's never sent to the server—it stays in the browser.

  4. No Account Required: No signup, no tracking, no logs of who created or viewed the secret.

Common Use Cases

Use CaseExample
API Key Sharing"I need to share my OpenAI API key with a teammate"
Database Credentials"Send the DB password to the new developer"
OAuth Tokens"Share this access token with the integration team"
Config File Sharing"I need to share my .env file securely"
SSH Key Distribution"Send the deploy key to the DevOps team"
Certificate Sharing"Share the TLS certificate with the infra team"
Temporary Access"Give the contractor the SSH key temporarily"
Troubleshooting"I need to share my config file (with secrets) for debugging"

Best Practices

  1. Never paste secrets directly in chat — Chat history is permanent and searchable.

  2. Use for one-time sharing — SnapPwd is designed for ephemeral sharing, not long-term storage.

  3. Verify the recipient — Anyone with the link can view the secret once.

  4. Set appropriate expiration — For sensitive secrets, consider setting a short TTL.

Integration with OpenClaw

When users need to share credentials for OpenClaw configuration:

  1. User creates a SnapPwd link with the credential
  2. User shares the link in the OpenClaw chat
  3. OpenClaw (or the human on the other side) opens the link to retrieve the credential
  4. Link self-destructs, leaving no trace in chat history

This is especially useful for:

  • Sharing API keys for agent configuration
  • Providing temporary access to services
  • Sharing secrets during troubleshooting sessions

Troubleshooting

"The link says it was already viewed"

  • The secret was already accessed. You'll need to create a new link.

"I need to share with multiple people"

  • Create separate links for each recipient, or use the "peek" feature to check metadata without destroying the secret.

References

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…