by 安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to be a password manager CLI wrapper, but its instructions require an external 'ravi' CLI and authentication yet the skill declares no required binaries, install steps, or credentials — this mismatch is suspicious and warrants caution.
评估建议
This skill's instructions call an external 'ravi' CLI and show workflows that return plaintext passwords, but the package metadata doesn't declare the CLI, jq, or any authentication mechanism. Before installing or using: verify where the 'ravi' binary comes from and trustworthiness of its publisher; confirm how you authenticate (API token, local config, or login) and where credentials are stored; ensure TLS/server identity for ravi.id; install and inspect the ravi CLI yourself (or its source cod...详细分析 ▾
⚠ 用途与能力
The SKILL.md describes storing/retrieving website credentials via a 'ravi' CLI (ravi passwords ...). That purpose is plausible, but the skill metadata declares no required binaries, no install steps, and no primary credential. A password-manager skill would normally require the ravi CLI binary (or an API token/config) to exist and authenticate the user; omitting those is inconsistent.
ℹ 指令范围
Runtime instructions show shell usage that expects the 'ravi' CLI and use of jq pipelines to parse JSON and extract plaintext passwords. The instructions themselves do not ask the agent to read unrelated files or exfiltrate data, but they do assume local tooling and an authenticated session without documenting how to obtain credentials or where authentication state is stored.
ℹ 安装机制
There is no install spec (instruction-only), which minimizes on-disk risk. However, the instructions rely on an external 'ravi' binary (and implicitly jq) but do not declare them or provide installation guidance — an omission that reduces transparency and may hide required setup steps.
⚠ 凭证需求
The skill declares no required environment variables or config paths. For a password manager, one would expect credentials, an API token, or a documented authentication flow. The lack of declared credentials or config paths is disproportionate to the sensitivity of operations (creating/retrieving plaintext passwords).
✓ 持久化与权限
Flags are default: always=false and model invocation allowed. The skill does not request persistent system privileges or modify other skills. No elevated persistence concerns were found.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.1.12026/2/27
Auto-published from 19d2b7eea3e0a215bf8c5726dd9e1fb86307cdd7
● 无害
安装命令 点击复制
官方npx clawhub@latest install ravi-passwords
镜像加速npx clawhub@latest install ravi-passwords --registry https://cn.clawhub-mirror.com
技能文档
Store and retrieve passwords for services you sign up for. All credential fields (username, password, notes) are server-side encrypted — you send and receive plaintext.
Commands
# Create entry (auto-generates password if password not given)
ravi passwords create example.com# Create with username and password
ravi passwords create example.com --username "me@example.com" --password "S3cret!"
# List all entries
ravi passwords list
# Retrieve a specific entry by UUID
ravi passwords get
# Update an entry
ravi passwords update --password "NewPass!"
# Delete an entry
ravi passwords delete
# Generate a password without storing it
ravi passwords generate
Create fields: domain (required), --username, --password, --notes
If --password is omitted, the server auto-generates a strong password.
JSON Shapes
ravi passwords list:
[
{
"uuid": "uuid",
"identity": 1,
"domain": "example.com",
"username": "me@example.com",
"password": "S3cret!",
"notes": "",
"created_dt": "2026-02-25T10:30:00Z",
"updated_dt": "2026-02-25T10:30:00Z"
}
]
ravi passwords get :
{
"uuid": "uuid",
"identity": 1,
"domain": "example.com",
"username": "me@example.com",
"password": "S3cret!",
"notes": "",
"created_dt": "2026-02-25T10:30:00Z",
"updated_dt": "2026-02-25T10:30:00Z"
}
Common Patterns
Sign up for a service — store credentials immediately
# Generate and store credentials during signup
CREDS=$(ravi passwords create example.com --username "me@example.com")
PASSWORD=$(echo "$CREDS" | jq -r '.password')
# Use $PASSWORD in the signup form
Log into a service — retrieve stored credentials
# Find entry by domain
ENTRY=$(ravi passwords list | jq -r '.[] | select(.domain == "example.com")')
UUID=$(echo "$ENTRY" | jq -r '.uuid')# Get full credentials including password
CREDS=$(ravi passwords get "$UUID")
USERNAME=$(echo "$CREDS" | jq -r '.username')
PASSWORD=$(echo "$CREDS" | jq -r '.password')
Important Notes
- Server-side encryption is transparent — you always see plaintext values.
- Domain cleaning — pass the bare domain (e.g.,
example.com), not a full URL. The server normalizes it. - Auto-generate password — if
--passwordis omitted when creating an entry, the server auto-generates a strong password. The generated password is returned in the response. - Domain normalization — the server strips subdomains (e.g.
app.example.combecomesexample.com). Pass the bare domain or a full URL — both work.
Full API Reference
For complete endpoint details, request/response schemas, and parameters: Passwords
Related Skills
- ravi-secrets — Store API keys and env vars (key-value secrets, not website credentials)
- ravi-login — End-to-end signup/login workflows that store credentials here
- ravi-identity — Get your email address for the username field
- ravi-feedback — Report password manager issues or suggest improvements
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制