Encryption
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent encryption best-practices skill with no executable install code, but it includes reference commands that can change infrastructure if a user chooses to run them.
This skill appears safe as documentation and best-practice guidance. Before using its infrastructure snippets, confirm the target system, credentials, and rollback plan, especially for Vault, database, Kubernetes, S3, and systemd examples.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied and run without checking the target environment, these commands could disrupt an application or change production credentials.
The secret-rotation example shows commands that can change a database password, update Vault, and restart an application deployment. This is purpose-aligned, but materially impactful if run against a real environment.
psql -c "ALTER USER appuser WITH PASSWORD '$NEW_PASS';" ... vault kv put secret/myapp/db password="$NEW_PASS" ... kubectl rollout restart deployment/myapp
Treat these snippets as manual runbook examples; require explicit user approval, confirm the environment, and prepare rollback steps before running them.
A token created with too much access could expose or modify secrets beyond the intended application scope.
The Vault example involves creating delegated secret-management credentials. This fits the key-management purpose, but it requires careful privilege scoping.
vault token create -policy=myapp-prod -period=24h
Use least-privilege Vault policies, short token lifetimes, and verify the policy contents before creating or distributing tokens.
A scheduled renewal service can keep modifying certificates and reloading services until it is disabled.
The TLS auto-renewal example creates a persistent scheduled service. It is disclosed and appropriate for certificate renewal, but it keeps operating after setup.
OnCalendar=*-*-* 02:00:00 ... Persistent=true ... ExecStart=/usr/bin/certbot renew --quiet --deploy-hook "systemctl reload nginx"
Install persistent timers only intentionally, document them, and ensure users know how to inspect, disable, or remove them.