← Back to Skills Marketplace
259
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install passmanager
Description
本地加密密码管理系统,基于AES-256和SQLite,支持多级权限、自动备份,替代1Password实现企业安全可控密码管理。
Usage Guidance
Do not install this into a production or sensitive OpenClaw environment yet. Key issues: the SKILL.md promises AES-256/TLS/key rotation/backups but the only included code uses weak 'base64+reverse' encoding and no key management; many files and scripts described in the documentation are missing; the code writes persistent data under /root/.openclaw/secrets (the platform's secrets area) which could mix with agent secrets. Before using: 1) require the author/source repository and verify integrity (there's no homepage and source is 'unknown'); 2) obtain the missing scripts and full source; 3) perform a code review to confirm proper AES (with secure key derivation, KDF, IV handling), TLS and network code, safe backup endpoints, and no hidden exfiltration; 4) change default data paths to a controlled directory (do not reuse platform secrets directory) and run in an isolated environment; 5) prefer a well-audited password manager or have this code security-audited and fixed (implement proper cryptography, secure logging, and access control) before entrusting real secrets. If you want, I can list the exact code changes needed to bring the implementation closer to the claimed security posture.
Capability Analysis
Type: OpenClaw Skill
Name: passmanager
Version: 1.0.0
The skill bundle claims to be a secure, AES-256 encrypted password manager in SKILL.md, but the actual implementation in scripts/passmanager.py uses a trivial and insecure Base64-reversal scheme for 'encryption.' There is a significant discrepancy between the documentation's security claims (AES-256, TLS 1.3) and the code's reality, which constitutes 'snake oil' security. Additionally, the script contains hardcoded assistant identities (e.g., '小新') and lacks many of the administrative commands described in the documentation, suggesting the code is either incomplete or intentionally misleading regarding its security properties.
Capability Assessment
Purpose & Capability
The SKILL.md promises AES-256 encryption, TLS transport, key rotation, automated backups, cluster deploy, and many helper scripts. The actual repository contains a single Python file that implements only a very simple base64+reverse 'encryption', a local SQLite DB, and basic logging. Many referenced scripts and features (backup.py, setup.py, deploy_*.py, monitor.py, config docs, TLS/key-management code) are absent. This is a clear mismatch between claimed capabilities and actual code.
Instruction Scope
Runtime instructions tell the agent to initialize and run scripts under /root/.openclaw/workspace/skills/passmanager and reference many commands and files that do not exist in the bundle. The SKILL.md and code instruct creation and use of files under /root/.openclaw/secrets (database, backups, logs), which is the platform's sensitive area — the skill will read/write persistent secrets and logs in that location. The instructions also promise networked features (TLS, backups, cluster) but no network code or remote endpoints are present in the included script.
Install Mechanism
There is no formal install spec (instruction-only skill) and the code file will be executed locally via python. That minimizes supply-chain download risk, but the script will create and persist files under /root/.openclaw/secrets and logs, which can shadow or mix with platform-level secret storage. The SKILL.md suggests installing via 'skillhub' or git clone but no authoritative repository/homepage is provided (source is 'unknown').
Credentials
The skill declares no required environment variables or credentials, yet the code hardcodes filesystem paths under /root/.openclaw/secrets and writes DB/logs there. That effectively requires write access to the agent's secret storage area. Also, the SKILL.md claims strong cryptography and key management but the code uses an insecure 'simple_encrypt' (base64 + reverse) with no key, KDF, or AES implementation — a substantive security misrepresentation.
Persistence & Privilege
always:false (normal). However the skill writes persistent artifacts (database, log files, backups path) into the agent's secrets directory and could therefore persist sensitive data on disk. That persistent presence combined with the mismatch in crypto claims increases risk if deployed without review.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install passmanager - After installation, invoke the skill by name or use
/passmanager - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
PassManager Skill 1.0.0 – Initial Release
- First public release for enterprise password management
- Provides secure, local storage with AES-256 encryption
- Implements assistant permission control (admin, user, auditor, guest)
- Features full access logging and automated backup
- Includes scripts for setup, backup, monitoring, and batch operations
- Integrates seamlessly with OpenClaw assistant system
Metadata
Frequently Asked Questions
What is PassManager?
本地加密密码管理系统,基于AES-256和SQLite,支持多级权限、自动备份,替代1Password实现企业安全可控密码管理。 It is an AI Agent Skill for Claude Code / OpenClaw, with 259 downloads so far.
How do I install PassManager?
Run "/install passmanager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is PassManager free?
Yes, PassManager is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does PassManager support?
PassManager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created PassManager?
It is built and maintained by isenlink (@isenlink); the current version is v1.0.0.
More Skills