Ravi passwords
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ravi-passwords Version: 2.1.1 The ravi-passwords skill provides a CLI-based interface for managing website credentials via a remote service (ravi.id). It supports standard password management features such as creation, retrieval, updating, and deletion of entries, as well as password generation. While the skill handles sensitive data and transmits it to a remote server, its behavior is entirely consistent with its stated purpose as a password manager, and the SKILL.md contains no evidence of malicious intent, obfuscation, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A login task for one site could expose many stored website passwords in command output, transcripts, shell history, or logs.
The documented list operation returns plaintext passwords and the common pattern uses it to search for one domain, so unrelated saved passwords may be retrieved into the agent/tool context.
"ravi passwords list" ... "password": "S3cret!" ... ENTRY=$(ravi passwords list | jq -r '.[] | select(.domain == "example.com")')
Use a metadata-only list or domain-specific lookup if available, retrieve only the credential the user requested, and require explicit user approval before displaying or using any password.
Anyone or anything that can use this skill in the user’s session may be able to retrieve credentials that grant access to websites.
The skill explicitly handles plaintext website credentials through the Ravi service; this is purpose-aligned for a password manager but gives access to user accounts.
All credential fields (username, password, notes) are server-side encrypted — you send and receive plaintext.
Install only if you trust Ravi with website passwords, do not store API keys or unrelated secrets here, and limit use to user-approved login/signup tasks.
An accidental or autonomous update/delete could remove a saved password or replace it with the wrong value, potentially locking the user out of a website.
The documented commands can modify or delete stored credentials. That is expected for a password manager, but it is high-impact if invoked without clear user intent.
ravi passwords update <uuid> --password "NewPass!" ... ravi passwords delete <uuid>
Require explicit confirmation before create, update, or delete actions, and show the domain and username being changed without exposing the password unnecessarily.
Users must trust an external Ravi CLI/service that is not reviewed in this artifact set.
The artifact provides no code or installation details, while the skill relies on external commands to handle plaintext passwords, so provenance and runtime behavior are not verifiable from the supplied package.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Required binaries (all must exist): none
Verify the official Ravi CLI installation source, authentication model, and documentation before using the skill with real passwords.