Password Generator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: password-generator Version: 1.1.0 The skill accurately implements its stated purpose: generating a random password and saving it to a markdown file within the agent's designated memory directory (`/root/.openclaw/workspace/memory/passwords.md`). There are no signs of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in SKILL.md. All file operations are confined to the agent's workspace and are consistent with the skill's functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated password may remain readable in local agent memory after the task, increasing the chance that future tasks, users, or tools could expose it.
The script persistently appends generated passwords in plaintext to a workspace memory file. Passwords are sensitive credentials once used, and the artifacts do not provide opt-out, encryption, retention limits, or cleanup guidance.
memory_dir = '/root/.openclaw/workspace/memory' ... new_entry = f"""\n## {date}\n\n- **随机密码**\n - 密码: `{password}` ...""" ... with open(password_file, 'a') as f: f.write(new_entry)Do not store generated passwords in memory by default. Show the password once, or require explicit user confirmation before saving; if saving is needed, use a dedicated password manager or encrypted storage.
Users may trust the output as a secure account password when the generation method is weaker than expected for password security.
The skill is described as generating secure passwords, but the implementation uses Python's general-purpose `random` module rather than a cryptographic generator such as `secrets`. It also samples from a combined character pool, so it does not guarantee every advertised character class appears.
import random ... length = random.randint(min_length, max_length) ... password = ''.join(random.choice(chars) for _ in range(length))
Use Python's `secrets` module, such as `secrets.choice`, and explicitly enforce required character classes if the skill claims every class is included.