Description

Generate htpasswd entries for Apache/Nginx basic auth password management. Use when creating credentials, managing password files, or verifying users.

README (SKILL.md)

HtPasswd

Name: Htpasswd
Author: bytesagain-lab

A real htpasswd file manager for Apache/Nginx HTTP basic authentication. Create password files, add/remove users, verify passwords, and list users. Supports apr1 (Apache MD5), SHA-256, and SHA-512 hash algorithms via openssl.

Commands

Command	Description
`htpasswd create \x3Cfile> \x3Cuser> \x3Cpassword>`	Create a new htpasswd file with the first user (fails if file exists)
`htpasswd add \x3Cfile> \x3Cuser> \x3Cpassword>`	Add a user to an existing file (or update password if user exists)
`htpasswd delete \x3Cfile> \x3Cuser>`	Remove a user from the htpasswd file
`htpasswd verify \x3Cfile> \x3Cuser> \x3Cpassword>`	Verify a user's password (supports apr1, sha256, sha512, sha1, crypt)
`htpasswd list \x3Cfile>`	List all users with their hash algorithm type
`htpasswd version`	Show version
`htpasswd help`	Show available commands and usage

Configuration

Variable	Default	Description
`HTPASSWD_ALGO`	`apr1`	Hash algorithm: `apr1`, `sha256`, or `sha512`

Requirements

Bash 4+ (set -euo pipefail)
openssl — for password hashing and verification
grep, sed — standard text utilities
No external dependencies or API keys

When to Use

Setting up basic auth — htpasswd create /etc/nginx/.htpasswd admin secret to create a new file
Managing users — htpasswd add to add users, htpasswd delete to remove them
Password verification — htpasswd verify to check if a password is correct
Security audits — htpasswd list shows all users and their hash types
Stronger hashing — Set HTPASSWD_ALGO=sha512 for SHA-512 instead of default apr1

Examples

# Create a new htpasswd file
htpasswd create /etc/nginx/.htpasswd admin MySecretPass

# Add another user
htpasswd add /etc/nginx/.htpasswd editor AnotherPass

# Use SHA-512 for stronger hashing
HTPASSWD_ALGO=sha512 htpasswd add /etc/nginx/.htpasswd secure_user StrongPass

# List all users
htpasswd list /etc/nginx/.htpasswd

# Verify a password
htpasswd verify /etc/nginx/.htpasswd admin MySecretPass

# Delete a user
htpasswd delete /etc/nginx/.htpasswd editor

Example Output

$ htpasswd create /tmp/.htpasswd admin secret123
┌──────────────────────────────────────────────────┐
│  htpasswd File Created                           │
├──────────────────────────────────────────────────┤
│  File:     /tmp/.htpasswd                         │
│  User:     admin                                  │
│  Algo:     apr1                                   │
│  Perms:    640 (owner rw, group r)                │
├──────────────────────────────────────────────────┤
│  ✅ File created with 1 user                     │
└──────────────────────────────────────────────────┘

$ htpasswd list /tmp/.htpasswd
┌──────────────────────────────────────────────────┐
│  htpasswd Users                                  │
├──────────────────────────────────────────────────┤
│  File:  /tmp/.htpasswd                            │
│  Users: 2                                         │
├──────────────────────────────────────────────────┤
│   1. admin                [apr1 (MD5)      ]      │
│   2. editor               [sha512          ]      │
└──────────────────────────────────────────────────┘

$ htpasswd verify /tmp/.htpasswd admin secret123
┌──────────────────────────────────────────────────┐
│  Password Verification                           │
├──────────────────────────────────────────────────┤
│  File:     /tmp/.htpasswd                         │
│  User:     admin                                  │
│  Result:   ✅ Password CORRECT                   │
└──────────────────────────────────────────────────┘

Security Notes

Files are created with 640 permissions (owner read/write, group read)
Default algorithm is apr1 (Apache MD5) — widely compatible
Use HTPASSWD_ALGO=sha512 for stronger hashing on modern systems
Usernames cannot contain : or whitespace characters
Existing users get their password replaced when using add

Powered by BytesAgain | bytesagain.com | [email protected]

Usage Guidance

This skill appears to do exactly what it says: a local htpasswd manager implemented as a bash script. Before installing or running it, review the script (already included), test in a non-production directory, and ensure openssl is installed. Be aware it will create/modify files you point it at (e.g., /etc/nginx/.htpasswd) and may require root to write system locations. If you expect to accept arbitrary usernames, consider that the script does not fully escape usernames when using grep/sed — avoid unusual characters in usernames or improve escaping. Use HTPASSWD_ALGO=sha512 for stronger hashing if compatibility allows.

Capability Analysis

Type: OpenClaw Skill Name: htpasswd Version: 3.0.0 The skill provides a utility for managing htpasswd files but contains several security vulnerabilities in scripts/script.sh. It lacks input sanitization for the 'user' variable, which is used directly in sed and grep commands, allowing for regex or delimiter injection. Additionally, passwords are handled as command-line arguments, exposing them in the system's process list, and are passed to openssl without protection against flag injection (e.g., if a password starts with a hyphen).

Capability Assessment

✓ Purpose & Capability

Name/description match the included code and instructions. The script implements create/add/delete/verify/list commands for htpasswd files and only requires standard utilities (openssl, grep, sed) that are appropriate for the stated task.

ℹ Instruction Scope

Instructions and the script operate on arbitrary filesystem paths (e.g., /etc/nginx/.htpasswd), create parent directories, and change file permissions — which is expected for an htpasswd manager. Minor robustness issue: usernames are inserted directly into grep/sed patterns without escaping, which can produce unexpected behavior for unusual usernames (special regex characters, delimiter collisions). This is a functional/robustness concern, not evidence of exfiltration.

✓ Install Mechanism

No install spec; the skill is delivered as a standalone shell script and SKILL.md. Nothing is downloaded or written during an install step by the registry metadata.

✓ Credentials

No environment variables or credentials are required (HTPASSWD_ALGO is optional). The declared dependencies (openssl, grep, sed) align with functionality and no unrelated secrets/config paths are requested.

ℹ Persistence & Privilege

Skill is not always-enabled and has normal autonomous invocation allowed. The script will write and modify files on disk (including system paths if used); running it with agent autonomy could modify system htpasswd files if the agent has filesystem permissions. This is expected but the user should be aware of the write capability.

Version History

v3.0.0

v3.0.0: Real htpasswd manager.

v1.0.5

old template -> domain-specific v2.0.0

v1.0.4

old template -> domain-specific v2.0.0

v1.0.3

Quality upgrade

v1.0.2

Quality upgrade: custom functionality

v1.0.1

De-template, unique content, script cleanup

v1.0.0

Initial release

Metadata

Slug htpasswd

Version 3.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 7

Frequently Asked Questions

What is Htpasswd?

Generate htpasswd entries for Apache/Nginx basic auth password management. Use when creating credentials, managing password files, or verifying users. It is an AI Agent Skill for Claude Code / OpenClaw, with 341 downloads so far.

How do I install Htpasswd?

Run "/install htpasswd" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Htpasswd free?

Yes, Htpasswd is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Htpasswd support?

Htpasswd is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Htpasswd?

It is built and maintained by bytesagain-lab (@bytesagain-lab); the current version is v3.0.0.

More Skills

Htpasswd