password-manager
Analysis
This looks like a local password manager rather than malware, but it stores and backs up real passwords in plaintext and uses weak password-generation randomness, so it needs careful review before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
import random ... password = ''.join(random.choice(charset) for _ in range(length))
The password generator uses Python's non-cryptographic random module while the skill advertises strong password generation, which is not an appropriate security posture for account passwords.
Source: unknown; Homepage: none
The skill's provenance is not independently linked or documented; this is especially worth noticing for software intended to manage passwords.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
"password": password,
The code stores the user-supplied account password directly in the password record; combined with the README's statement that storage is not encrypted by default, this gives the skill and local file readers access to real credentials.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
if self.data.get("settings", {}).get("auto_backup", True): self._create_backup() ... json.dump(self.data, f, indent=2, ensure_ascii=False)Every save can create a backup copy of the full password database, duplicating sensitive data into persistent local files without shown encryption, retention limits, or secure deletion.