Password Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
This prompt-only password helper is locally scoped, but its strong security claims for generated passwords, API keys, and tokens warrant review before relying on it for real credentials.
Review this skill before using it for real credentials. It appears locally scoped and does not include code or network calls, but you should not paste live passwords into chat, and you should prefer a password manager or other cryptographically secure generator for real passwords, API keys, and tokens.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may rely on an AI-generated password, API key, or token as if it were produced by a secure password manager, which could create weaker or more predictable credentials.
The skill presents model-generated outputs as strong credentials and tokens, but the prompt does not require a cryptographic random generator or disclose that prompt-only generation may not provide reliable entropy.
generate API key, create secure token ... Generate using cryptographically-inspired randomness patterns ... Strength: ████████████ VERY STRONG
Use a vetted password manager or operating-system cryptographic random generator for real credentials, or revise the skill to call a secure generator and clearly label model-only outputs as ideas rather than guaranteed-secure secrets.
If a user pastes a real password, it will be visible to the agent and may remain in the chat history, even though the skill says it will not store passwords in its settings file.
The skill supports password strength checking by having the user provide a password-like string and then echoing it back in the response. This is aligned with the feature, but the data is sensitive.
User: "check strength: MyPassword123" ... 🔑 Summer2024!
Do not paste current or live passwords into the skill. Use example patterns, partial redactions, or a local password manager’s strength checker instead.
The skill may create and update local settings/statistics files, but the artifacts do not show broad file access or password storage.
The skill requests local read/write capability and documents storage of preferences and counters under a scoped .openclaw directory. This is disclosed and purpose-aligned.
requires":{"tools":["read","write"]} ... All data stored under `~/.openclaw/password-generator/`: - `settings.json` — preferences and statsVerify that any writes remain limited to ~/.openclaw/password-generator/ and avoid adding actual passwords to saved settings.