📦 Ravi passwords — 技能工具

v2.1.1

Store and retrieve website credentials — password manager for domain/username/password entries. Do NOT use for API keys/secrets (use ravi-secrets) or reading...

0· 467·0 当前·0 累计

by @raunaksingwi (Raunak Singwi)·MIT-0

网络工具浏览器自动化 API工具数据分析

下载技能包

License

MIT-0

最后更新

2026/4/11

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

The skill appears to be a password manager CLI wrapper, but its instructions require an external 'ravi' CLI and authentication yet the skill declares no required binaries, install steps, or credentials — this mismatch is suspicious and warrants caution.

评估建议

This skill's instructions call an external 'ravi' CLI and show workflows that return plaintext passwords, but the package metadata doesn't declare the CLI, jq, or any authentication mechanism. Before installing or using: verify where the 'ravi' binary comes from and trustworthiness of its publisher; confirm how you authenticate (API token, local config, or login) and where credentials are stored; ensure TLS/server identity for ravi.id; install and inspect the ravi CLI yourself (or its source cod...

详细分析 ▾

⚠ 用途与能力

The SKILL.md describes storing/retrieving website credentials via a 'ravi' CLI (ravi passwords ...). That purpose is plausible, but the skill metadata declares no required binaries, no install steps, and no primary credential. A password-manager skill would normally require the ravi CLI binary (or an API token/config) to exist and authenticate the user; omitting those is inconsistent.

ℹ 指令范围

Runtime instructions show shell usage that expects the 'ravi' CLI and use of jq pipelines to parse JSON and extract plaintext passwords. The instructions themselves do not ask the agent to read unrelated files or exfiltrate data, but they do assume local tooling and an authenticated session without documenting how to obtain credentials or where authentication state is stored.

ℹ 安装机制

There is no install spec (instruction-only), which minimizes on-disk risk. However, the instructions rely on an external 'ravi' binary (and implicitly jq) but do not declare them or provide installation guidance — an omission that reduces transparency and may hide required setup steps.

⚠ 凭证需求

The skill declares no required environment variables or config paths. For a password manager, one would expect credentials, an API token, or a documented authentication flow. The lack of declared credentials or config paths is disproportionate to the sensitivity of operations (creating/retrieving plaintext passwords).

✓ 持久化与权限

Flags are default: always=false and model invocation allowed. The skill does not request persistent system privileges or modify other skills. No elevated persistence concerns were found.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv2.1.12026/2/27

Auto-published from 19d2b7eea3e0a215bf8c5726dd9e1fb86307cdd7

● 无害

安装命令

点击复制

官方npx clawhub@latest install ravi-passwords

镜像加速npx clawhub@latest install ravi-passwords --registry https://cn.longxiaskill.com

技能文档

Store and retrieve passwords for services you sign up for. All credential fields (username, password, notes) are server-side encrypted — you send and receive plaintext.

Commands

# Create entry (auto-generates password if password not given) ravi passwords create example.com # Create with username and password ravi passwords create example.com --username "me@example.com" --password "S3cret!" # List all entries ravi passwords list # Retrieve a specific entry by UUID ravi passwords get # Update an entry ravi passwords update --password "NewPass!" # Delete an entry ravi passwords delete

# Generate a password without storing it ravi passwords generate

Create fields: domain (required), --username, --password, --notes

If --password is omitted, the server auto-generates a strong password.

JSON Shapes

ravi passwords list:

[
  {
    "uuid": "uuid",
    "identity": 1,
    "domain": "example.com",
    "username": "me@example.com",
    "password": "S3cret!",
    "notes": "",
    "created_dt": "2026-02-25T10:30:00Z",
    "updated_dt": "2026-02-25T10:30:00Z"
  }
]

ravi passwords get :

{
  "uuid": "uuid",
  "identity": 1,
  "domain": "example.com",
  "username": "me@example.com",
  "password": "S3cret!",
  "notes": "",
  "created_dt": "2026-02-25T10:30:00Z",
  "updated_dt": "2026-02-25T10:30:00Z"
}

Common Patterns

Sign up for a service — store credentials immediately

# Generate and store credentials during signup
CREDS=$(ravi passwords create example.com --username "me@example.com")
PASSWORD=$(echo "$CREDS" | jq -r '.password')
# Use $PASSWORD in the signup form

Log into a service — retrieve stored credentials

# Find entry by domain
ENTRY=$(ravi passwords list | jq -r '.[] | select(.domain == "example.com")')
UUID=$(echo "$ENTRY" | jq -r '.uuid')# Get full credentials including password
CREDS=$(ravi passwords get "$UUID")
USERNAME=$(echo "$CREDS" | jq -r '.username')
PASSWORD=$(echo "$CREDS" | jq -r '.password')

Important Notes

Server-side encryption is transparent — you always see plaintext values.
Domain cleaning — pass the bare domain (e.g., example.com), not a full URL. The server normalizes it.
Auto-generate password — if --password is omitted when creating an entry, the server auto-generates a strong password. The generated password is returned in the response.
Domain normalization — the server strips subdomains (e.g. app.example.com becomes example.com). Pass the bare domain or a full URL — both work.

Full API Reference

For complete endpoint details, request/response schemas, and parameters: Passwords

Related Skills

ravi-secrets — Store API keys and env vars (key-value secrets, not website credentials)
ravi-login — End-to-end signup/login workflows that store credentials here
ravi-identity — Get your email address for the username field
ravi-feedback — Report password manager issues or suggest improvements

数据来源：ClawHub ↗ · 中文优化：龙虾技能库