ClawHub

gopass

v1.0.0

Store, retrieve, list, and manage secrets using gopass (the team password manager). Use when the user asks to save credentials, look up passwords, generate secrets, manage password entries, or interact with a gopass password store. Covers CRUD operations, secret generation, TOTP, recipients, mounting stores, and clipboard operations.

1· 1.6k·1 current·1 all-time
by@erdgeclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md: it documents gopass CLI usage (CRUD, generate, TOTP, recipients, mounts, sync). Prerequisites (gopass binary, GPG key, initialized store) are appropriate for this purpose.
Instruction Scope
Instructions are limited to running gopass CLI commands (show, insert, generate, rm, sync, mounts, otp, etc.). These commands access local password stores, may copy secrets to clipboard, open $EDITOR, or run git sync operations — all expected for a password-manager helper but they do operate on sensitive local data and may push/pull to configured git remotes.
Install Mechanism
No install spec or code is provided (instruction-only). Nothing is downloaded or written by the skill itself — the agent will rely on an existing gopass/GPG installation.
Credentials
The skill declares no required env vars or credentials, which is appropriate. The documentation references $EDITOR and GOPASS_NO_NOTIFY and expects a GPG key and git remotes; those are legitimate runtime prerequisites but they are not requested as explicit credentials by the skill.
Persistence & Privilege
always:false and no install/auto-enable behavior. The skill can be invoked by the agent (normal), but it does not request persistent system-level privileges or modify other skills' configs.
Assessment
This skill appears coherent and does only what a gopass CLI helper should do, but it will cause the agent to run commands that access your local secrets. Before installing or allowing use: - Only use with agents you trust to run local commands. The agent will run gopass commands that read/write secrets and may copy them to the clipboard. Clipboard contents can be leaked or persisted by other software. - Be aware that gopass sync uses git: running sync may push/pull secrets to configured git remotes. Verify your gopass store's remote configuration. - The skill assumes you have gopass and GPG keys set up locally; it does not install them. Ensure those tools are installed and configured as you expect. - Piping secrets into commands or using non-interactive inserts can expose secrets in shell history or logs — prefer secure workflows. - The skill source is unknown; since it is instruction-only, review the SKILL.md content (already consistent) and exercise least privilege when granting agent execution rights. If you need broader assurance, require a vetted install spec or limit the agent's ability to run system commands that touch your credential stores.

Like a lobster shell, security has layers — review code before you run it.

latestvk975cvp3vt5sag95sw5nj55q2x808f4a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments