ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ravi passwords

v1.7.1

Store and retrieve website credentials — E2E encrypted password manager for domain/username/password entries. Do NOT use for API keys/secrets (use ravi-secre...

0· 388·0 current·0 all-time
byRaunak Singwi@raunaksingwi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description and the SKILL.md consistently describe a CLI-based E2E password manager (ravi passwords). However, the skill declares no required binaries, no install spec, and no required credentials or config paths — yet the instructions assume a 'ravi' CLI exists and performs encryption and network operations. A password manager reasonably needs an executable, a way to authenticate/unlock (master password, key), or an API endpoint; none are declared.
!
Instruction Scope
SKILL.md tells the agent to run commands that create/list/get/update/delete credentials and claims encryption is done before sending. It does not specify how the agent obtains the encryption key or authentication context, where entries are stored or sent, or any endpoints. Because the instructions involve handling highly sensitive secrets but leave key management and storage destination undefined, the scope is under-specified and grants ambiguous authority to the agent.
!
Install Mechanism
There is no install specification and no code files. For a CLI-driven password manager this is unexpected: either the runtime already needs a trusted 'ravi' binary on PATH (not documented), or the skill should provide install/auth instructions. The lack of an explicit install mechanism or known upstream source increases risk and makes the skill incoherent.
!
Credentials
The skill declares no required environment variables or primary credential, yet it operates on secrets. A password manager should justify where encryption keys or session tokens come from (env var, keyfile, prompt). The absence of any declared credential storage or key management is disproportionate to the sensitivity of the operation.
Persistence & Privilege
always is false (good). The skill is allowed to be invoked autonomously (platform default). Given this skill manipulates secrets, autonomous invocation increases blast radius if the implementation or CLI is untrusted — but lack of always:true means it is not force-installed. This is worth considering but not a standalone disqualifier.
What to consider before installing
Do not install or use this skill yet. The SKILL.md assumes a 'ravi' CLI that encrypts and sends password entries, but the bundle provides no binary, no install instructions, and no explanation of how encryption keys or authentication are managed. Before installing, ask the publisher for: (1) the official source or repository for the 'ravi' CLI and its cryptographic design (open-source audit recommended), (2) how the master key / passphrase is provided and stored (env var, keyfile, interactive prompt, hardware-backed key), (3) where encrypted data is sent/stored (service domain / API endpoint) and whether domain lookup plaintext storage is acceptable, and (4) any required install steps or binaries and their integrity checks (checksums/signatures). If you cannot verify the CLI's provenance and key management, prefer a well-known audited password manager. Also avoid giving the agent broad autonomous permission to access or transmit secrets until these questions are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk9742pppbd7z5z91jcd03jvgrd82gdzc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Ravi Passwords

Store and retrieve passwords for services you sign up for. Sensitive fields (username, password, notes) are E2E encrypted — the CLI handles encryption/decryption transparently. Domain is stored in plaintext for lookup.

Commands

# Create entry (auto-generates password if --password not given)
ravi passwords create example.com --json
ravi passwords create example.com --username "me@example.com" --password 'S3cret!' --json

# List all entries
ravi passwords list --json

# Retrieve (decrypted)
ravi passwords get <uuid> --json

# Update
ravi passwords update <uuid> --password 'NewPass!' --json

# Delete
ravi passwords delete <uuid> --json

# Generate a password without storing it
ravi passwords generate --length 24 --json
# -> {"password": "xK9#mL2..."}

Create flags: --username, --password, --notes, --generate, --length (default 16), --no-special, --no-digits, --exclude-chars

JSON Shapes

ravi passwords list --json:

[
  {
    "uuid": "uuid",
    "domain": "example.com",
    "username": "me@example.com",
    "created_dt": "2026-02-25T10:30:00Z"
  }
]

ravi passwords get <uuid> --json:

{
  "uuid": "uuid",
  "domain": "example.com",
  "username": "me@example.com",
  "password": "S3cret!",
  "notes": "",
  "created_dt": "2026-02-25T10:30:00Z"
}

Important Notes

  • E2E encryption is transparent — the CLI encrypts credential fields before sending and decrypts on retrieval. You see plaintext.
  • Domain cleaningravi passwords create auto-cleans URLs to base domains (e.g., https://mail.google.com/inbox becomes google.com).
  • Always use --json — human-readable output is not designed for parsing.

Related Skills

  • ravi-secrets — Store API keys and env vars (key-value secrets, not website credentials)
  • ravi-login — End-to-end signup/login workflows that store credentials here
  • ravi-identity — Get your email address for the username field
  • ravi-feedback — Report password manager issues or suggest improvements

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…