password-manager 安全扫描报告 — 低风险 | ClawSafe

10 /100

password-manager

本地密码管理器，用于存储、查询、修改和删除账号密码

A legitimate local password manager using Fernet encryption with no malicious behavior detected - all functionality is declared and implemented correctly.

技能名称password-manager

分析耗时29.2s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned dependency version 供应链 The cryptography package has no version constraint in the documentation. While not a direct vulnerability, it could lead to unexpected behavior with future breaking changes. `pip install cryptography` → Consider pinning to a specific version: pip install cryptography>=41.0.0	`SKILL.md:158`
低危	Minor code structure anomaly 文档欺骗 The list_tags function definition appears to be accidentally duplicated inside the batch_delete function body, which could indicate a copy-paste error during development. `def list_tags(): (appears inside batch_delete)` → Remove the duplicate function definition inside batch_delete and ensure clean code structure	`password_manager.py:330`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Uses filesystem:WRITE for password storage files (~/.openclaw/workspace/password…
网络访问	`NONE`	`NONE`	—	No network requests found in code
命令执行	`NONE`	`NONE`	—	No subprocess or shell command execution
环境变量	`NONE`	`NONE`	—	Does not access os.environ
技能调用	`NONE`	`NONE`	—	No skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	No database access

1 项发现

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:55

目录结构

2 文件 · 31.0 KB · 977 行

Python 1f · 719L Markdown 1f · 258L

├─ 🔑 password_manager.py ⚠ Python 719L · 24.2 KB

└─ 📝 SKILL.md Markdown 258L · 6.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`cryptography`	`*`	pip	否	Version not pinned - consider adding minimum version constraint

安全亮点

✓ Uses Fernet encryption for password storage - industry standard symmetric encryption

✓ Encryption key stored with 600 permissions (read/write for owner only)

✓ Atomic file writes prevent race conditions

✓ No network requests - all data stays local

✓ No credential theft - doesn't iterate environment variables for sensitive keys

✓ No obfuscation - code is readable and well-structured

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)

✓ CSV export creates files locally without network transmission

✓ Clear documentation matching actual implementation