ClawHub

Password Generator

WarnAudited by ClawScan on May 10, 2026.

Overview

This password generator works as described, but it saves generated passwords in plaintext and uses a non-cryptographic random generator despite claiming to create secure passwords.

Review carefully before installing. Avoid using this skill for important accounts unless it is changed to use a cryptographically secure random generator and stops saving passwords to plaintext memory by default.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI06: Memory and Context Poisoning
What this means

A generated password may remain readable in local agent memory after the task, increasing the chance that future tasks, users, or tools could expose it.

Why it was flagged

The script persistently appends generated passwords in plaintext to a workspace memory file. Passwords are sensitive credentials once used, and the artifacts do not provide opt-out, encryption, retention limits, or cleanup guidance.

Skill content
memory_dir = '/root/.openclaw/workspace/memory' ... new_entry = f"""\n## {date}\n\n- **随机密码**\n  - 密码: `{password}` ...""" ... with open(password_file, 'a') as f: f.write(new_entry)
Recommendation

Do not store generated passwords in memory by default. Show the password once, or require explicit user confirmation before saving; if saving is needed, use a dedicated password manager or encrypted storage.

Concern
ASI09: Human-Agent Trust Exploitation
What this means

Users may trust the output as a secure account password when the generation method is weaker than expected for password security.

Why it was flagged

The skill is described as generating secure passwords, but the implementation uses Python's general-purpose `random` module rather than a cryptographic generator such as `secrets`. It also samples from a combined character pool, so it does not guarantee every advertised character class appears.

Skill content
import random ... length = random.randint(min_length, max_length) ... password = ''.join(random.choice(chars) for _ in range(length))
Recommendation

Use Python's `secrets` module, such as `secrets.choice`, and explicitly enforce required character classes if the skill claims every class is included.