ClawHub

Pywayne Crypto

v0.1.0

Encryption and decryption toolkit for string and byte data. Supports Fernet (AES-128) symmetric encryption, fallback XOR encryption, custom password protecti...

0· 554·1 current·1 all-time
by@wangyendt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be an encryption toolkit (pywayne.crypto) and shows Python APIs, but there is no code bundle, no install spec, and no homepage or source. A consumer installing this skill would expect the library to be provided or a safe install path (PyPI/GitHub), which is missing — that mismatch is incoherent with the described purpose.
Instruction Scope
The SKILL.md instructs using encrypt/decrypt, batch operations, save/load config (writing encrypted files), and mentions code obfuscation. It does not instruct reading unrelated system files or exfiltrating data, but it assumes filesystem access and handling of sensitive secrets. The doc also recommends using environment variables for keys but does not declare or require any specific env vars; default key behavior is unspecified (potentially insecure). The inclusion of 'code obfuscation' is notable because it can be abused to hide malicious code.
!
Install Mechanism
There is no install spec. Because the instructions reference 'from pywayne.crypto import ...' an agent or user would need to install that package from somewhere; no trusted source (PyPI name, GitHub repo, release URL) is provided. That lack of provenance increases risk if an agent attempts to fetch/install an unknown package.
Credentials
The skill requests no env vars or credentials in metadata, but the docs advise passing keys via environment variables and refer to a 'default key' when no password is provided. Absence of declared required secrets while recommending env-based keys is a mismatch. The skill does not explicitly request unrelated credentials, which is appropriate, but key management details are underspecified and could lead to insecure defaults.
Persistence & Privilege
The skill does not request always:true or any elevated persistent privileges. It is user-invocable and allows model invocation (platform defaults); nothing here amplifies privilege beyond normal.
What to consider before installing
This SKILL.md looks like documentation for a Python library, but the skill bundle does not include the library nor an install source. Before installing or using it: 1) verify the package exists from a trusted source (PyPI/GitHub) and review its code; 2) avoid using any 'default key' — require explicit key management and avoid hardcoded secrets; 3) be cautious about the 'code obfuscation' feature (it can be abused to hide malicious behavior); 4) prefer a skill that either bundles audited code or provides a clear, trusted install URL and provenance. If you cannot verify the upstream project and its code, do not use this skill for protecting real secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk9747ftspgvynsj76fwat435ah816jc3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments