📦 DashPass — 加密凭证保险库
v0.8.1DashPass 是专为 AI 智能体设计的去中心化加密凭证保险库,可将 API 密钥、令牌、密码等敏感信息加密存储在链上,仅由你本人解密调用,杜绝明文泄露,支持多链同步与细粒度权限,方便在自动化脚本、CI/CD 或智能体工作流中安全注入凭证。
0· 156·0 当前·0 累计
by 下载技能包
最后更新
2026/4/16
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill implements what it says (a Dash-backed encrypted vault), but installing it means giving code access paths and/or an environment variable (CRITICAL_WIF) that is equivalent to a master key for all stored secrets. Before installing: 1) Review the included JS files yourself or have a trusted reviewer confirm there are no hidden network endpoints or exfiltration paths. 2) Do not export your production WIF into a long-lived environment variable on a machine where an autonomous agent can run...详细分析 ▾
✓ 用途与能力
Name/description match what the files and CLI implement: a Dash Platform-backed encrypted vault. Required binaries (node) and the Evo SDK are consistent with interacting with the Dash Platform and performing client-side crypto. Requesting a wallet WIF and an Identity ID is expected for this design.
⚠ 指令范围
The SKILL.md and included CLI instruct the agent to read process.env.CRITICAL_WIF and DASHPASS_IDENTITY_ID, create/read files under ~/.dashpass (shares, cache, audit.log), encrypt/decrypt locally, and emit secrets to stdout/`eval` (e.g., `env` and `--pipe`). Those behaviors are required for a vault, but they also make it trivial for an agent that can invoke the CLI to fetch plaintext secrets and/or export them into the environment or other processes. The docs claim human confirmation for critical operations, but that enforcement is implemented only via optional mutual-share flows — not automatically enforced.
ℹ 安装机制
There is no formal install spec; the skill is instruction-only but includes JS files that import @dashevo/evo-sdk. The README/FAQ tells users to run `npm install @dashevo/evo-sdk@3.1.0-dev.1`. Relying on a dev-tag npm package and requiring the user to install dependencies is a moderate operational risk (supply-chain/typo risk) and should be noted; however, there are no external arbitrary download URLs or extracted archives in the repository.
⚠ 凭证需求
The skill requires CRITICAL_WIF (the vault master private key) and DASHPASS_IDENTITY_ID — both directly relevant. However, CRITICAL_WIF is a high-impact secret: possession equals the ability to decrypt all stored credentials. The SKILL.md and code also reference additional optional env vars (DASHPASS_CONTRACT_ID, DASHPASS_CACHE) that are not listed in the declared requires.env. Requiring the master WIF is proportionate to the vault function but substantially raises the blast radius if given to a skill that can be invoked autonomously.
⚠ 持久化与权限
The skill does not request 'always: true', and model invocation is allowed (default). That is normal, but combined with the skill's need for the master WIF and the CLI behavior (writes share files, a cache, and an audit.log under ~/.dashpass), an agent that can invoke the skill autonomously could retrieve and exfiltrate secrets without further human action unless you configure mutual confirmation and keep the WIF out of persistent environments. The skill does not modify other skills or global agent config.
⚠ scripts/dashpass-cli.mjs:57
Environment variable access combined with network send.
⚠ scripts/dashpass-cli.mjs:39
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.8.12026/4/5
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install dashpass
镜像加速npx clawhub@latest install dashpass --registry https://cn.longxiaskill.com