acetoolz-password Security Report — Low Risk | ClawSafe

20 /100

acetoolz-password

Generate secure passwords via the AceToolz API

Skill is a documentation-only prompt for password generation via external API but declares insufficient permissions for implied shell execution.

Skill Nameacetoolz-password

Duration21.8s

Enginepi

✓

Safe to install

Add 'shell:WRITE' to the permissions array in the frontmatter to accurately reflect the curl command execution requirement.

Findings 1 items

Severity	Finding	Location
Medium	Shell execution permission not declared Priv Escalation The skill instructs using 'exec' to run curl commands but only declares 'network:outbound' permission. Shell:WRITE permission is implicitly required for the curl command execution. Use `exec` to call the AceToolz API... → Update permissions array to include 'shell:WRITE' or clarify that 'exec' maps to a tool with shell execution capability.	`SKILL.md:21`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:7 - permissions: ['network:outbound']
Shell	`NONE`	`WRITE`	✗ Violation	SKILL.md:21-27 - curl command requires shell execution

3 findings

🔗

Medium External URL 外部 URL

https://www.acetoolz.com/generate/tools/password-generator

SKILL.md:18

🔗

Medium External URL 外部 URL

https://www.acetoolz.com/api/openclaw/password-generator

SKILL.md:31

🔗

Medium External URL 外部 URL

https://www.acetoolz.com

SKILL.md:69

1 files · 2.8 KB · 76 lines

Markdown 1f · 76L

└─ 📝 SKILL.md Markdown 76L · 2.8 KB

✓ No actual code/scripts present - purely documentation

✓ No credential theft or sensitive data access

✓ API endpoint is clearly documented (acetoolz.com)

✓ No obfuscation or suspicious encoding detected

✓ No data exfiltration beyond the declared API call

✓ Error handling is appropriately documented