Ravi passwords

v2.1.1

Store and retrieve website credentials — password manager for domain/username/password entries. Do NOT use for API keys/secrets (use ravi-secrets) or reading...

⭐ 0· 496·0 current·0 all-time

byRaunak Singwi@raunaksingwi

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md describes storing/retrieving website credentials via a 'ravi' CLI (ravi passwords ...). That purpose is plausible, but the skill metadata declares no required binaries, no install steps, and no primary credential. A password-manager skill would normally require the ravi CLI binary (or an API token/config) to exist and authenticate the user; omitting those is inconsistent.

ℹ

Instruction Scope

Runtime instructions show shell usage that expects the 'ravi' CLI and use of jq pipelines to parse JSON and extract plaintext passwords. The instructions themselves do not ask the agent to read unrelated files or exfiltrate data, but they do assume local tooling and an authenticated session without documenting how to obtain credentials or where authentication state is stored.

ℹ

Install Mechanism

There is no install spec (instruction-only), which minimizes on-disk risk. However, the instructions rely on an external 'ravi' binary (and implicitly jq) but do not declare them or provide installation guidance — an omission that reduces transparency and may hide required setup steps.

Credentials

The skill declares no required environment variables or config paths. For a password manager, one would expect credentials, an API token, or a documented authentication flow. The lack of declared credentials or config paths is disproportionate to the sensitivity of operations (creating/retrieving plaintext passwords).

✓

Persistence & Privilege

Flags are default: always=false and model invocation allowed. The skill does not request persistent system privileges or modify other skills. No elevated persistence concerns were found.

What to consider before installing

This skill's instructions call an external 'ravi' CLI and show workflows that return plaintext passwords, but the package metadata doesn't declare the CLI, jq, or any authentication mechanism. Before installing or using: verify where the 'ravi' binary comes from and trustworthiness of its publisher; confirm how you authenticate (API token, local config, or login) and where credentials are stored; ensure TLS/server identity for ravi.id; install and inspect the ravi CLI yourself (or its source code) rather than relying on this skill; do not store highly sensitive secrets (API keys) here per the skill's own note; and ask the publisher for explicit install/authentication steps and a privacy/security policy. If you can't validate those, avoid using the skill for important credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk977wqv5hyzyrfh1ad69g1w01184e827

496downloads

0stars

8versions

Updated 5h ago

v2.1.1

MIT-0

Ravi Passwords

Store and retrieve passwords for services you sign up for. All credential fields (username, password, notes) are server-side encrypted — you send and receive plaintext.

Commands

# Create entry (auto-generates password if password not given)
ravi passwords create example.com

# Create with username and password
ravi passwords create example.com --username "me@example.com" --password "S3cret!"

# List all entries
ravi passwords list

# Retrieve a specific entry by UUID
ravi passwords get <uuid>

# Update an entry
ravi passwords update <uuid> --password "NewPass!"

# Delete an entry
ravi passwords delete <uuid>

# Generate a password without storing it
ravi passwords generate

Create fields: domain (required), --username, --password, --notes

If --password is omitted, the server auto-generates a strong password.

JSON Shapes

ravi passwords list:

[
  {
    "uuid": "uuid",
    "identity": 1,
    "domain": "example.com",
    "username": "me@example.com",
    "password": "S3cret!",
    "notes": "",
    "created_dt": "2026-02-25T10:30:00Z",
    "updated_dt": "2026-02-25T10:30:00Z"
  }
]

ravi passwords get <uuid>:

{
  "uuid": "uuid",
  "identity": 1,
  "domain": "example.com",
  "username": "me@example.com",
  "password": "S3cret!",
  "notes": "",
  "created_dt": "2026-02-25T10:30:00Z",
  "updated_dt": "2026-02-25T10:30:00Z"
}

Common Patterns

Sign up for a service — store credentials immediately

# Generate and store credentials during signup
CREDS=$(ravi passwords create example.com --username "me@example.com")
PASSWORD=$(echo "$CREDS" | jq -r '.password')
# Use $PASSWORD in the signup form

Log into a service — retrieve stored credentials

# Find entry by domain
ENTRY=$(ravi passwords list | jq -r '.[] | select(.domain == "example.com")')
UUID=$(echo "$ENTRY" | jq -r '.uuid')

# Get full credentials including password
CREDS=$(ravi passwords get "$UUID")
USERNAME=$(echo "$CREDS" | jq -r '.username')
PASSWORD=$(echo "$CREDS" | jq -r '.password')

Important Notes

Server-side encryption is transparent — you always see plaintext values.
Domain cleaning — pass the bare domain (e.g., example.com), not a full URL. The server normalizes it.
Auto-generate password — if --password is omitted when creating an entry, the server auto-generates a strong password. The generated password is returned in the response.
Domain normalization — the server strips subdomains (e.g. app.example.com becomes example.com). Pass the bare domain or a full URL — both work.

Full API Reference

For complete endpoint details, request/response schemas, and parameters: Passwords

Related Skills

ravi-secrets — Store API keys and env vars (key-value secrets, not website credentials)
ravi-login — End-to-end signup/login workflows that store credentials here
ravi-identity — Get your email address for the username field
ravi-feedback — Report password manager issues or suggest improvements

Comments

Loading comments...