ClawHub

Encryption

Encrypt files, secure passwords, manage keys, and audit code for cryptographic best practices.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 932 · 9 current installs · 9 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the included materials: encryption patterns, mobile Keychain/Keystore, Vault/KMS usage, and audit checklists. The examples legitimately reference tools and services commonly used for encryption (age, gpg, aws KMS, HashiCorp Vault, SQLCipher, psql, kubectl). Nothing in the content appears intended for a different purpose.
!
Instruction Scope
SKILL.md and included files instruct running commands that access network services, system configuration, and cloud storage (aws s3 cp, vault kv put/get, psql, kubectl, certbot, openssl, nmap, curl). Those operations can read or transmit sensitive data. The skill does not declare or document the credentials or environment configuration required to run those commands, and some examples embed or echo secrets (e.g., building SQL with a shell variable). This grants broad discretion to an agent following the instructions and could lead to unintended data access or transmission if invoked without care.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing will be written to disk by an installer. This is the lowest-risk installation model.
!
Credentials
The skill metadata lists no required environment variables or credentials, but the documentation uses AWS CLI, AWS KMS, Vault, Postgres, and kubectl—all of which require credentials or access (AWS keys/roles, Vault token/agent, DB user/password, kube credentials). The lack of declared required secrets is inconsistent with the runtime actions it describes and increases the chance the user will run the examples with improperly scoped credentials or accidentally expose secrets.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills/configs. Autonomous invocation is allowed (platform default) but is not combined with additional privileged settings.
What to consider before installing
This skill is a collection of encryption patterns and operational scripts that are consistent with its stated purpose, but it instructs actions that require sensitive credentials and access (AWS, Vault, Postgres, Kubernetes, etc.) while declaring none. Before installing or running any examples: 1) Review and run examples in an isolated/test environment (not production). 2) Provide least-privilege credentials (short-lived tokens/roles) for any cloud/Vault/DB access. 3) Avoid copying example commands verbatim that construct or echo secrets into shell history or logs (use parameterized APIs or environment-only injection). 4) Inspect and adapt scripts that perform uploads (aws s3 cp), DB changes (psql ALTER USER), or Vault writes so they do not leak secrets to logs or remote services. 5) If you want to allow autonomous agent invocation, consider the agent's access scope carefully—do not grant broad cloud or kube credentials to an agent that can call these steps automatically.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97ek8hqktqgf14vy46nt41brs813pj4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

When to Use

  • Encrypting files, database fields, or app storage
  • Password hashing (bcrypt, argon2)
  • Key management, rotation, derivation
  • TLS/certificate configuration
  • Auditing code for crypto mistakes
  • Mobile secure storage (Keychain, Keystore)

Algorithm Selection

PurposeUseAvoid
Passwordsargon2id, bcrypt (cost≥12)MD5, SHA1, plain SHA256
SymmetricAES-256-GCM, ChaCha20-Poly1305AES-ECB, DES, RC4
AsymmetricRSA-4096+OAEP, Ed25519, P-256RSA-1024, PKCS#1 v1.5
Key derivationPBKDF2 (≥600k), scrypt, argon2Single-pass hash
JWT signingRS256, ES256HS256 with weak secret
TLS1.2+ onlyTLS 1.0/1.1, SSLv3

Critical Rules

  1. Never reuse IVs/nonces — AES-GCM + repeated nonce = catastrophic
  2. Use authenticated encryption (AEAD) — Plain CBC enables padding oracles
  3. Hash passwords, don't encrypt — Hashing is one-way
  4. No hardcoded keys — Use env vars, KMS, or Vault
  5. No Math.random() for crypto — Use CSPRNG only
  6. Constant-time comparisons — Prevent timing attacks on secrets
  7. Separate keys by purpose — Encryption ≠ signing ≠ backup

File Encryption (CLI)

# age (modern, simple)
age -p -o file.age file.txt
age -d -o file.txt file.age

# GPG
gpg -c --cipher-algo AES256 file.txt

Platform-Specific

See patterns.md for code snippets:

  • Password hashing (Node, Python, Go)
  • Envelope encryption with KMS
  • JWT with RS256 key rotation
  • Secure token generation

See mobile.md for:

  • iOS Keychain wrapper
  • Android EncryptedSharedPreferences
  • SQLCipher setup
  • Biometric auth integration
  • Certificate pinning

See infra.md for:

  • TLS certificate auto-renewal
  • HashiCorp Vault policies
  • mTLS between services
  • Backup encryption verification

Audit Checklist

  • No plaintext passwords in DB/logs/env
  • No secrets in git history
  • No hardcoded keys in source
  • No Math.random() for security
  • No deprecated algorithms (MD5, SHA1, DES)
  • No disabled cert validation
  • IVs/nonces never reused
  • PBKDF2 iterations ≥600k / bcrypt cost ≥12
  • TLS 1.2+ enforced, old protocols disabled
  • Key rotation procedure documented

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…