Session Password
Provides secure session authentication using bcrypt-hashed passwords, security questions, email recovery, and lockout protection with audit logging.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 47 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included code: setup, uninstall, local storage of bcrypt hashes, audit logging and timeouts are implemented. Billing integration with SkillPay is also present and aligns with the package metadata. However, the repository contains a hard-coded SkillPay API key and multiple inconsistent price values in comments/test scripts (0.01, 0.9, 29 USDT), which is unexpected given the simple authentication purpose.
Instruction Scope
SKILL.md instructs running the local setup and uninstall scripts and describes email recovery. The setup script collects and stores email and hashed passphrase locally, but there is no implementation in the codebase that actually sends recovery emails (no SMTP/API mailer integration). That means the 'Email recovery system' feature is claimed but not implemented here — an incoherence the maintainer should explain. Audit logs are local and saved with 0600 permissions (this is appropriate).
Install Mechanism
No external download/install spec is present; installation is via npm (package.json). All code is local. No remote archives or shorteners are used. The dependency list is small (bcrypt, axios), though axios is declared but not used in the provided scripts (scripts use global fetch).
Credentials
The skill declares no required environment variables, yet it contains a hard-coded billing API key in package.json and scripts (sk_... value) and makes network calls to skillpay.me. Hard-coding a provider API key in the repo is a privacy/supply-chain concern and is disproportionate for a local auth helper — billing credentials should be provided by the integrator as environment variables. Also, the billing code accepts a userId and will contact external endpoints; installing this skill exposes at least user identifiers and billing calls to an external service.
Persistence & Privilege
The skill does not request persistent platform privileges (always: false). It writes its own files under the OpenClaw workspace memory directory and can remove its own skill directory during uninstall. It does not modify other skills or global agent config.
What to consider before installing
Key things to consider before installing:
- Billing API key exposed: the repo contains a hard-coded SkillPay API key and skillId. That is sensitive and unusual — ask the author to remove embedded keys and use environment variables instead.
- External network calls: billing code will call https://skillpay.me with a userId; confirm what user identifier is sent and whether you are comfortable sending it to a third party. Review privacy/terms for SkillPay.
- Email recovery not implemented: the setup requires a recovery email, but there is no code that sends recovery codes. Ask the maintainer how recovery codes are delivered and where any mail-sending credentials would be stored.
- Inconsistent pricing: comments and test scripts contain differing prices (0.01 vs 0.9 vs 29 USDT). Verify the actual billing behavior to avoid unexpected charges.
- Audit logs and stored data: the setup writes user email and audit entries to files under your workspace. Ensure the workspace is secured and that you accept those data being stored there.
- Recommended actions: request the author to (1) remove hard-coded keys or document required env vars for billing, (2) implement or document the email delivery mechanism for recovery, (3) clarify pricing and billing fallback behavior (the billing handler currently grants access if billing fails), and (4) consider rotating the exposed API key if you plan to use this skill.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.5.0
Download zipauthenticationbillinglatestpaidsecurity
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Session Password
Version: 1.5.0 Author: squallsol Price: $0.01 USDT per call Platform: SkillPay
Description (EN)
A secure passphrase authentication guard for OpenClaw sessions. Protects access with bcrypt-hashed passwords, security questions, and email recovery.
Triggers: When session starts, user mentions "口令", "password", "认证", "authentication", or similar authentication-related terms.
描述 (中文)
OpenClaw 会话的安全口令认证守护。使用 bcrypt 哈希口令、安全问题和邮箱恢复保护访问。
触发条件: 会话启动时,用户提及"口令"、"密码"、"认证"等认证相关词汇。
Pricing / 定价
| Plan | Price | Description |
|---|---|---|
| Per Call / 按次 | $0.01 USDT | Pay per use |
Billing is handled via SkillPay (BNB Chain USDT).
Features / 功能特性
- ✅ bcrypt password hashing (cost factor 12) / bcrypt 口令哈希(成本因子 12)
- ✅ Configurable timeout (default 60 min) / 可配置超时(默认 60 分钟)
- ✅ Security question backup / 安全问题备用验证
- ✅ Email recovery system / 邮箱恢复系统
- ✅ Failed attempt lockout (5 attempts, 15 min) / 失败锁定(5 次,15 分钟)
- ✅ Bilingual support (zh-CN/en) / 中英双语支持
- ✅ Audit logging / 审计日志
- ✅ SkillPay billing integration / SkillPay 计费集成
Setup / 安装设置
Run the setup wizard:
node skills/session-password/scripts/setup.js
运行设置向导:
node skills/session-password/scripts/setup.js
Configuration Files / 配置文件
| File | Description |
|---|---|
memory/auth-config.json | Main configuration / 主配置 |
memory/auth-users.json | User credentials / 用户凭据 |
memory/auth-state.json | Session state / 会话状态 |
memory/auth-audit.log | Audit log / 审计日志 |
Commands / 指令
| Chinese | English | Action |
|---|---|---|
| 忘记口令 | forgot password | Trigger email recovery / 触发邮箱恢复 |
| 修改口令 | change password | Change passphrase / 修改口令 |
| 卸载口令skill | uninstall auth skill | Remove authentication / 移除认证 |
Uninstall / 卸载
node skills/session-password/scripts/uninstall.js
License
MIT
Files
11 totalSelect a file
Select a file to preview.
Comments
Loading comments…