critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:31
- Finding
- File appears to expose a hardcoded API secret or token.
Password Generator
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Using the skill means allowing the agent or user to run a local script to generate or analyze passwords.
Why it was flagged
The skill's intended workflow runs the included local Python helper. This is purpose-aligned and the provided source does not show dynamic execution, downloads, or network use.
Skill content
python3 scripts/password-gen.py generate
Recommendation
Run it only from the trusted skill directory and review the included script if you want assurance about local behavior.
What this means
Generated or analyzed passwords may be visible on screen, in terminal history, or in local logs if the user is not careful.
Why it was flagged
The skill intentionally handles password-like values through command-line input and plaintext terminal output. This is disclosed and purpose-aligned, but passwords are sensitive.
Skill content
python3 scripts/password-gen.py analyze "MyPassword123!" ... Generated passwords are shown in plain text ... Don't save passwords in command history
Recommendation
Use a private terminal, avoid analyzing real existing passwords via command-line arguments, and store generated passwords in a password manager.
What this means
A generated passphrase, especially with few words, may be easier to guess than a user expects from a security-focused password tool.
Why it was flagged
Passphrase mode uses a small fixed word list and returns a fixed medium strength label, so the skill's general secure-password framing should be interpreted cautiously for passphrases.
Skill content
def generate_passphrase(word_count=4, separator="-") ... words = [ ... ] ... "strength": "中"
Recommendation
For important accounts, prefer the random password generator with sufficient length or use a passphrase generator with a much larger word list and accurate entropy scoring.