Password Manager

A fully local password management skill for OpenClaw with AES-256-GCM encryption, password generation, and sensitive info detection.

This skill appears to do what it claims (a local encrypted password vault) and contains its implementation in the package rather than pulling remote code. Before installing, consider the following: - Source verification: the skill's source/homepage is unknown. If you will store sensitive secrets, prefer code from a known maintainer or review the full source yourself. - Disk location and permissions: the vault (data/vault.enc), cache (.cache/key.enc), and history files are written under the skill's package directories. Ensure those directories are located on secure storage and have strict filesystem permissions so other users/processes cannot read them. - Environment variable risk: PASSWORD_MANAGER_MASTER_PASSWORD is supported for automation but is a sensitive secret; avoid using it on multi-user systems, CI runners without secret storage, or places where process/environment variables can be leaked. - Cache derivation detail: the cache key derivation uses a fixed salt constant (CACHE_SALT_FIXED). This is a design weakness for the cache encryption (it makes offline guessing of cache-derived data slightly easier than if per-install random salt were used). If you rely on the cache file for long-lived convenience, consider reducing cache lifetime or removing cache entirely. - Audit & Logs: SKILL.md advertises audit logs and operation history. Confirm what is logged and where; ensure logs don't contain plaintext secrets and that log files are protected. - Backups & recovery: confirm your backup strategy (vault.enc is the canonical encrypted vault file). Losing the master password may make recovery impossible. If you are not comfortable reviewing the full source, either decline the skill or run it in an isolated environment (sandbox/VM) and/or adjust config (disable caching, lower cache timeout) before storing high-value secrets.

Type: OpenClaw Skill Name: password-manager Version: 1.0.4 The OpenClaw AgentSkills skill bundle for 'password-manager' is classified as benign. The code implements strong cryptographic practices (AES-256-GCM, PBKDF2-SHA256), robust input sanitization across all user-facing functions (CLI and OpenClaw tools), and secure handling of sensitive data (memory wiping, encrypted vault and cache). All file operations are strictly local to the skill's workspace, and there is no evidence of data exfiltration, unauthorized network communication, or persistence mechanisms. The `SKILL.md` and `hooks/openclaw/HOOK.md` documentation are purely descriptive and do not contain any prompt injection attempts designed to manipulate the agent maliciously. While the `password_manager_get` tool defaults to `showPassword: true`, this is a core feature of a password manager, allowing the agent to fulfill its intended purpose of managing and retrieving credentials, and is not indicative of malicious intent.