ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bcrypt Generate

v1.0.0

Hash passwords using bcrypt or verify a password against a bcrypt hash. Use when the user asks to bcrypt a password, generate a bcrypt hash, check if a passw...

0· 70·1 current·1 all-time
byOmar Hernandez@ohernandez-dev-blossom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested artifacts: the skill is instruction-only and requires only python3 to run bcrypt commands. There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
Instructions are narrowly focused on hashing and verification using Python's bcrypt library. However, the provided commands embed plaintext passwords directly on the shell command line (python3 -c '...b"PASSWORD"...'), which can expose secrets to shell history and to other local users via process listings on some systems. The SKILL.md does acknowledge complex-password issues and suggests using a temp Python script; it would be safer to recommend reading passwords via stdin or getpass.getpass() to avoid command-line exposure.
Install Mechanism
No install spec is present (instruction-only), so nothing is downloaded or written to disk by the skill itself. The doc correctly instructs the user to pip-install the bcrypt package if missing, which is expected.
Credentials
The skill requests no environment variables, credentials, or config paths. Its needs (python3 and the bcrypt package) are proportional to its purpose.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills/configs. Autonomous invocation is enabled (the platform default) but is not combined with broad access or unusual privileges.
Assessment
This skill appears to do what it claims and asks for nothing unrelated. Primary practical concern: the example commands place plaintext passwords on the command line, which can be recorded in shell history or visible to other local users via process listings. To avoid this, prefer a short Python script that reads the password from stdin or uses getpass.getpass(), or accept the password via a secure prompt/file, instead of embedding it in the -c string. Only install the bcrypt package from PyPI (pip3 install bcrypt) if you trust your environment. Avoid pasting real production passwords into chat or logs.

Like a lobster shell, security has layers — review code before you run it.

latestvk975sj9crs4p2t7s2annv5k92583dekd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments