Bcrypt Generate
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly coherent, but it tells the agent to place real passwords directly into shell commands, which can expose secrets or mis-handle special characters.
Review before installing or using. The skill’s goal is legitimate, but avoid pasting real passwords into the provided shell one-liners. A safer implementation should read passwords from stdin or a prompt, validate the cost factor, and avoid shell interpolation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A password with special characters could be hashed incorrectly, exposed in the command line, or cause unintended local command execution if untrusted input is inserted.
The skill instructs direct substitution of user-controlled values into a shell command and Python code. Passwords or hashes containing $, backticks, quotes, or command-substitution syntax can be misinterpreted by the shell; ROUNDS is also inserted as code-like text rather than a validated integer.
python3 -c "import bcrypt; print(bcrypt.hashpw(b'PASSWORD', bcrypt.gensalt(rounds=ROUNDS)).decode())" ... Replace `PASSWORD` with the actual password and `ROUNDS` with the cost factor
Do not run the shown one-liners with raw user input. Use a small reviewed Python script that reads the password from stdin or a prompt, validates rounds as an integer from 4 to 31, and avoids shell interpolation.
Real passwords entered for hashing or verification may be visible outside the final bcrypt result.
The skill is explicitly designed to handle plaintext passwords. That is purpose-aligned, but the instructions put the password into a command string where it may appear in process listings or execution transcripts.
**For hashing:** - Password string to hash ... Replace `PASSWORD` with the actual password
Use this only with passwords you are comfortable entering into the agent session, and prefer safer input handling that does not place secrets on the command line.
If bcrypt is not already installed, the user may install the latest package version from the Python package index.
The skill may require installing an external Python package, but the package version is not pinned. This is a normal dependency for the stated purpose, but it is still a supply-chain consideration.
This skill requires the Python `bcrypt` package. Install with: `pip3 install bcrypt`.
Install dependencies only from trusted package indexes and consider pinning a known-good bcrypt version in managed environments.