Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Credential Auditor
v1.0.0自动化凭证安全审计工具,支持设备默认密码匹配、密码字典生成和多协议暴力破解测试
⭐ 1· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (credential auditing, default-password matching, wordlist generation, multi-protocol testing) matches the provided scripts and reference data. Required binaries (python3) and local reference files are appropriate. Suggested integration with Hydra/Medusa/Ncrack is coherent with the stated capability.
Instruction Scope
SKILL.md instructs the agent to run local Python scripts that generate wordlists, list default credentials, and (optionally) perform brute-force tests. The instructions explicitly warn to only perform authorized tests. The skill can perform network authentication attempts and recommends integrating external offensive tools—this is expected for the stated purpose but is powerful and dual-use, so the user must ensure authorization and run in an appropriate environment. No instructions reference unrelated system files, environment variables, or external hidden endpoints.
Install Mechanism
There is no automated install that downloads arbitrary code; the skill is instruction- and code-file based and asks the user to clone/copy into the OpenClaw skills directory and pip-install known Python packages. Recommended external tools are standard packages available from distro package managers or Homebrew. No suspicious remote-download URLs or extract-from-arbitrary-server steps were found in the manifest.
Credentials
The skill declares no required environment variables or credentials and the scripts do not attempt to read secrets or unrelated environment values. The number and type of resources requested (local reference files, Python deps) are proportional to the functionality.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It does not modify other skills or system-wide settings. Normal autonomous invocation remains possible (platform default).
Assessment
This package appears internally coherent for credential-auditing work, but: 1) it enables password-guessing and integration with professional cracking tools—only run it with explicit, written authorization and in an isolated/sandboxed network; 2) review the code before running (the brute-force implementation here is a simplified placeholder, and real attacks rely on optional external tools), and avoid executing against public/unauthorized targets; 3) verify the skill's provenance (SKILL files reference a GitHub repo but the registry 'source' is unknown and docs mention files like LICENSE/utils.py that aren't in the manifest); 4) install Python dependencies in a virtualenv, and if you plan to use Hydra/Medusa/Ncrack install them from official package sources; 5) consider running the skill on a disposable VM or container and audit network activity/logs the first time you run it.Like a lobster shell, security has layers — review code before you run it.
latestvk97fbsrpm3vhg9khs4ctjpmdq183zp9a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSmacOS · Linux · Windows
Binspython3