Password Generator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: password-gen-pro Version: 1.0.0 The OpenClaw AgentSkills skill bundle 'password-gen-pro' appears benign. The `SKILL.md` explicitly states that it makes 'NO external API calls, NO network requests, NO data sent to any server' and 'NEVER stores actual passwords'. The only shell command instructed is `mkdir -p ~/.openclaw/password-generator` for local data storage, which is a standard and benign operation. All features described are local password generation and analysis, with strong emphasis on user privacy and security best practices. There is no evidence of data exfiltration, malicious execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may rely on an AI-generated password, API key, or token as if it were produced by a secure password manager, which could create weaker or more predictable credentials.
The skill presents model-generated outputs as strong credentials and tokens, but the prompt does not require a cryptographic random generator or disclose that prompt-only generation may not provide reliable entropy.
generate API key, create secure token ... Generate using cryptographically-inspired randomness patterns ... Strength: ████████████ VERY STRONG
Use a vetted password manager or operating-system cryptographic random generator for real credentials, or revise the skill to call a secure generator and clearly label model-only outputs as ideas rather than guaranteed-secure secrets.
If a user pastes a real password, it will be visible to the agent and may remain in the chat history, even though the skill says it will not store passwords in its settings file.
The skill supports password strength checking by having the user provide a password-like string and then echoing it back in the response. This is aligned with the feature, but the data is sensitive.
User: "check strength: MyPassword123" ... 🔑 Summer2024!
Do not paste current or live passwords into the skill. Use example patterns, partial redactions, or a local password manager’s strength checker instead.
The skill may create and update local settings/statistics files, but the artifacts do not show broad file access or password storage.
The skill requests local read/write capability and documents storage of preferences and counters under a scoped .openclaw directory. This is disclosed and purpose-aligned.
requires":{"tools":["read","write"]} ... All data stored under `~/.openclaw/password-generator/`: - `settings.json` — preferences and statsVerify that any writes remain limited to ~/.openclaw/password-generator/ and avoid adding actual passwords to saved settings.