Session Password

Provides secure session authentication using bcrypt-hashed passwords, security questions, email recovery, and lockout protection with audit logging.

Key issues to consider before installing: 1) Hard-coded billing API key: package.json and billing scripts include an API key for SkillPay. That secret is embedded in the distributed code rather than declared as a required environment variable. Verify with the author why a provider key is shipped here and consider removing or rotating it. Treat this as sensitive — it could be abused to call the billing API. 2) Inconsistent filenames and config: The setup script writes auth-config.json and auth-users.json but auth-core and email-recovery expect passphrase.json and other names. This mismatch likely breaks functionality or causes unexpected behavior. Ask the author for a clear mapping of config files or a corrected release. 3) Mixed/weak hashing on recovery: Normal operation uses bcrypt, but the recovery routine stores a new passphrase as a SHA-256 hex digest. That weakens password storage and is a security regression. Do not rely on recovery flows until this is fixed. 4) Billing behavior & external calls: The skill will call skillpay.me endpoints and may attempt to charge users. SKILL.md doesn't show how user IDs are derived or consent flows. Confirm how billing is triggered, what user identifier is sent, and whether personal data may be transmitted. 5) Stubs and testing artifacts: Email recovery defaults to a stub mode that writes recovery codes to a file in the workspace and logs them to console. That may leak codes into logs or files; enable SMTP only after auditing. Recommended actions: do not enable this skill in production until the author addresses the above. If you want to test it, run it in an isolated environment, rotate any exposed keys, and review/patch the recovery hashing and filename mismatches. Ask the publisher for a signed, corrected release and an explanation for the embedded billing key and pricing inconsistencies.

Type: OpenClaw Skill Name: session-password Version: 1.6.1 The skill bundle implements a legitimate session authentication system for OpenClaw using industry-standard bcrypt hashing, security questions, and email-based recovery. The code is well-structured, follows security best practices such as restricted file permissions (0o600), and includes a transparent billing integration with the SkillPay platform ($0.01/call) as disclosed in SKILL.md and package.json. While it contains a hardcoded API key in scripts/billing.js, this appears to be a design choice for the skill's monetization model rather than a malicious backdoor or exfiltration mechanism.