Hash Generator Tool
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a simple offline hashing and encoding tool with no network access or persistence, but real HMAC secret keys should be handled carefully.
This skill looks safe for ordinary offline hashing, Base64, UUID, and checksum-style use. Be cautious when using real HMAC secrets because the documented interface passes the key on the command line; also avoid relying on MD5 or SHA-1 for security-sensitive purposes.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you use real signing secrets, the provided code keeps them local, but the way they are entered may still expose them on the local machine or in command records.
The HMAC feature is explicitly driven by a user-supplied secret key. This is purpose-aligned, but secrets supplied on a command line may be visible locally through shell history, process listings, or agent/tool logs.
python3 scripts/hash_toolkit.py "message" --hmac "secret-key"
Avoid using long-lived production HMAC keys in command-line examples when possible; prefer test keys or a safer secret-entry method such as stdin or an interactive prompt if the publisher adds one.