Credential Auditor
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a dual-use password-auditing tool that openly documents brute-force workflows but lacks strong authorization safeguards and overstates what its included code actually does.
Install or use this only if you perform authorized security testing. Before running any brute-force or default-password test, confirm the exact target, written authorization, allowed protocols, rate limits, and lockout protections. Also verify the code in a lab first, because the included brute-force implementation appears to be a stub rather than a real protocol tester.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could attempt password guessing against a host you name; on the wrong target this may lock accounts, disrupt services, or create legal risk.
The skill instructs the agent to use brute-force tools and multi-threaded password testing for user-supplied targets, but does not define a mandatory authorization, target-scope, or rate-limit checkpoint.
指定协议和目标 → 使用暴力破解工具 ... 执行多线程密码测试
Require explicit authorization confirmation for each target, define allowed IPs/domains and protocols, use conservative rate limits, and keep brute-force actions behind a user approval step.
Using this outside systems you own or are authorized to test could amount to unauthorized access attempts.
The skill is designed to try default credentials and report valid account credentials. This is purpose-aligned for authorized auditing, but it directly touches account-access boundaries.
尝试默认凭证登录测试 ... 发现的有效凭证: 1. admin:admin123 2. root:password
Use only with written authorization and a documented test scope; avoid testing real user accounts unless the authorization explicitly allows it.
You must trust the packages and system tools you install; unpinned versions can change over time.
The install documentation asks users to install third-party Python packages and optional offensive-security tools without version pins or hashes. This is disclosed and purpose-aligned, but it expands the trusted local toolchain.
pip install paramiko requests colorama ... brew install hydra medusa ncrack ... sudo apt-get install hydra medusa ncrack
Install in an isolated environment, pin versions where possible, use trusted package sources, and review optional tools before adding them to PATH.
If audit results are saved or shared insecurely, valid credentials could be exposed.
The example report includes plaintext valid credentials. Reports, output files, or chat transcripts containing this data become sensitive artifacts.
发现的有效凭证:\n1. admin:admin123\n2. root:password
Store results in a protected location, redact credentials before sharing, avoid copying them into long-lived agent memory, and delete sensitive test outputs when no longer needed.
You could believe a credential audit was performed when the provided script did not actually test logins, creating false confidence in the target's security.
The included brute-force script is explicitly a simplified stub that always returns false, while the documentation presents the skill as supporting real multi-protocol credential testing.
测试单个凭证(模拟) ... # 这里应该实现实际的协议测试逻辑 ... return False
Treat the current implementation as incomplete unless independently verified; the maintainer should clearly label stub behavior or implement the claimed protocol tests.