← 返回 Skills 市场
259
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install passmanager
功能描述
本地加密密码管理系统,基于AES-256和SQLite,支持多级权限、自动备份,替代1Password实现企业安全可控密码管理。
安全使用建议
Do not install this into a production or sensitive OpenClaw environment yet. Key issues: the SKILL.md promises AES-256/TLS/key rotation/backups but the only included code uses weak 'base64+reverse' encoding and no key management; many files and scripts described in the documentation are missing; the code writes persistent data under /root/.openclaw/secrets (the platform's secrets area) which could mix with agent secrets. Before using: 1) require the author/source repository and verify integrity (there's no homepage and source is 'unknown'); 2) obtain the missing scripts and full source; 3) perform a code review to confirm proper AES (with secure key derivation, KDF, IV handling), TLS and network code, safe backup endpoints, and no hidden exfiltration; 4) change default data paths to a controlled directory (do not reuse platform secrets directory) and run in an isolated environment; 5) prefer a well-audited password manager or have this code security-audited and fixed (implement proper cryptography, secure logging, and access control) before entrusting real secrets. If you want, I can list the exact code changes needed to bring the implementation closer to the claimed security posture.
功能分析
Type: OpenClaw Skill
Name: passmanager
Version: 1.0.0
The skill bundle claims to be a secure, AES-256 encrypted password manager in SKILL.md, but the actual implementation in scripts/passmanager.py uses a trivial and insecure Base64-reversal scheme for 'encryption.' There is a significant discrepancy between the documentation's security claims (AES-256, TLS 1.3) and the code's reality, which constitutes 'snake oil' security. Additionally, the script contains hardcoded assistant identities (e.g., '小新') and lacks many of the administrative commands described in the documentation, suggesting the code is either incomplete or intentionally misleading regarding its security properties.
能力评估
Purpose & Capability
The SKILL.md promises AES-256 encryption, TLS transport, key rotation, automated backups, cluster deploy, and many helper scripts. The actual repository contains a single Python file that implements only a very simple base64+reverse 'encryption', a local SQLite DB, and basic logging. Many referenced scripts and features (backup.py, setup.py, deploy_*.py, monitor.py, config docs, TLS/key-management code) are absent. This is a clear mismatch between claimed capabilities and actual code.
Instruction Scope
Runtime instructions tell the agent to initialize and run scripts under /root/.openclaw/workspace/skills/passmanager and reference many commands and files that do not exist in the bundle. The SKILL.md and code instruct creation and use of files under /root/.openclaw/secrets (database, backups, logs), which is the platform's sensitive area — the skill will read/write persistent secrets and logs in that location. The instructions also promise networked features (TLS, backups, cluster) but no network code or remote endpoints are present in the included script.
Install Mechanism
There is no formal install spec (instruction-only skill) and the code file will be executed locally via python. That minimizes supply-chain download risk, but the script will create and persist files under /root/.openclaw/secrets and logs, which can shadow or mix with platform-level secret storage. The SKILL.md suggests installing via 'skillhub' or git clone but no authoritative repository/homepage is provided (source is 'unknown').
Credentials
The skill declares no required environment variables or credentials, yet the code hardcodes filesystem paths under /root/.openclaw/secrets and writes DB/logs there. That effectively requires write access to the agent's secret storage area. Also, the SKILL.md claims strong cryptography and key management but the code uses an insecure 'simple_encrypt' (base64 + reverse) with no key, KDF, or AES implementation — a substantive security misrepresentation.
Persistence & Privilege
always:false (normal). However the skill writes persistent artifacts (database, log files, backups path) into the agent's secrets directory and could therefore persist sensitive data on disk. That persistent presence combined with the mismatch in crypto claims increases risk if deployed without review.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install passmanager - 安装完成后,直接呼叫该 Skill 的名称或使用
/passmanager触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
PassManager Skill 1.0.0 – Initial Release
- First public release for enterprise password management
- Provides secure, local storage with AES-256 encryption
- Implements assistant permission control (admin, user, auditor, guest)
- Features full access logging and automated backup
- Includes scripts for setup, backup, monitoring, and batch operations
- Integrates seamlessly with OpenClaw assistant system
元数据
常见问题
PassManager 是什么?
本地加密密码管理系统,基于AES-256和SQLite,支持多级权限、自动备份,替代1Password实现企业安全可控密码管理。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 259 次。
如何安装 PassManager?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install passmanager」即可一键安装,无需额外配置。
PassManager 是免费的吗?
是的,PassManager 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
PassManager 支持哪些平台?
PassManager 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PassManager?
由 isenlink(@isenlink)开发并维护,当前版本 v1.0.0。
推荐 Skills