password-manager
A fully local password management skill for OpenClaw, providing secure credential storage capabilities.
Features
- - 🔐 AES-256-GCM Encryption - Military-grade encryption protection
- 🔑 Master Password Caching - No need to re-enter within 48 hours
- 🎲 Password Generation - Customizable high-strength passwords
- 🔍 Sensitive Information Detection - Automatically identifies and prompts to save
- 📦 Fully Local - No dependency on external services
- 🔄 Version History - Supports rollback to previous versions
- 📊 Operation Audit - Records all operation logs
Installation
CODEBLOCK0
Quick Start
1. Initialization (First-time Use)
CODEBLOCK1
Set a master password (recommended: 12+ characters, including uppercase, lowercase, numbers, and symbols).
2. Add Entries
CODEBLOCK2
3. View Entries
CODEBLOCK3
4. Search
CODEBLOCK4
5. Generate Password
CODEBLOCK5
OpenClaw Integration
As an OpenClaw Skill, it provides the following tools:
| Tool | Function | Input Parameters |
|---|
| INLINECODE0 | Add entry | name, type, username, password, tags, notes |
| INLINECODE1 |
Get entry | name, showPassword |
|
password_manager_update | Update entry | name, password, username, tags, notes |
|
password_manager_delete | Delete entry | name, confirmed |
|
password_manager_search | Search entries | query, type, tag |
|
password_manager_list | List entries | type |
|
password_manager_generate | Generate password | length, includeUppercase, includeNumbers, includeSymbols |
|
password_manager_check_strength | Check strength | password |
|
password_manager_status | View status | - |
|
password_manager_detect | Detect sensitive info | text |
|
password_manager_change_password | Change master password | oldPassword, newPassword |
Usage Examples
CODEBLOCK6
Command Line Interface
Basic Commands
CODEBLOCK7
Options
| Option | Description |
|---|
| INLINECODE11 | Entry name (required) |
| INLINECODE12 |
Entry type (password/token/api_key/secret) |
|
--username | Username (optional) |
|
--password | Password/value (auto-generate if not provided) |
|
--tags | Tags (comma-separated, optional) |
|
--length | Password length (default: 32) |
|
--show-password | Show password in plaintext |
|
--confirm | Skip confirmation (for sensitive operations) |
|
--old | Old master password (for change-password) |
|
--new | New master password (for change-password) |
Advanced Usage
Environment Variable Support
For automation and CI/CD, you can use the PASSWORD_MANAGER_MASTER_PASSWORD environment variable:
CODEBLOCK8
Security Note: Be cautious when using environment variables in shared environments, as they may be visible in process lists.
Cache Auto-Rebuild
When the cache file is missing or expired, the password manager will automatically attempt to rebuild it:
- 1. Cache Missing: If
.cache/key.enc doesn't exist, the system will try to rebuild from the provided password - Environment Variable: If
PASSWORD_MANAGER_MASTER_PASSWORD is set, it will be used for cache rebuild - Interactive Prompt: If no environment variable, you'll be prompted to enter the password
CODEBLOCK9
Configuration
INLINECODE24� includes reasonable defaults and can be used directly. Edit for customization:
CODEBLOCK10
Tip: If configuration is modified incorrectly, refer to config.example.json to restore defaults.
Security Documentation
Implemented Security Measures
- 1. AES-256-GCM Encryption - Military-grade encryption protection
- PBKDF2 Key Derivation - 100,000 iterations
- Dual Encryption - Vault and cache encrypted separately
- Unbiased Random Numbers - Uses �INLINECODE26
- Input Validation - Sanitization at all entry points
- Sensitive Operation Confirmation - Re-enter password for deletion
- Memory Cleanup -
secureWipe() removes sensitive data - Audit Logs - Records operations without content
Security Recommendations
- 1. Master Password: Cannot be recovered if lost, store securely
- Regular Backups: Backup to external storage weekly
- Strong Master Password: Use 16+ character random password or passphrase
- Lock Promptly: Manually lock when not in use for extended periods
- Protect Configuration: Do not upload config.json to public repositories
- Audit Logs: Regularly check �INLINECODE28
Remaining Risks
| Risk | Likelihood | Impact | Mitigation |
|---|
| Cache file depends on filesystem permissions | Low | Medium | Encrypted |
| Memory keys may be dumped |
Low | High | secureWipe added |
| Master password loss cannot be recovered | - | High | User education |
File Structure
CODEBLOCK11
Testing
Run Tests
CODEBLOCK12
Test Results
CODEBLOCK13
Passed Tests:
- - ✅ crypto module (encryption/decryption/key derivation)
- ✅ generator module (password generation/strength check)
- ✅ sanitizeInput (input validation)
- ✅ initializeVault (initialization)
- ✅ lockVault (locking)
- ✅ restoreVault (restore verification)
Feature Checklist (F1-F16)
| ID | Feature | Status |
|---|
| F1 | AES-256-GCM encrypted storage | ✅ |
| F2 |
CRUD operations | ✅ |
| F3 | Password generation (customizable) | ✅ |
| F4 | Password strength check | ✅ |
| F5 | Master password 48-hour cache | ✅ |
| F6 | Sensitive operation confirmation | ✅ |
| F7 | Automatic sensitive info detection | ✅ |
| F8 | Version history | ✅ |
| F9 | Operation audit logs | ✅ |
| F10 | OpenClaw tool integration | ✅ |
| F11 | Tag system | ✅ |
| F12 | Notes field | ✅ |
| F13 | Search/filter | ✅ |
| F14 | Backup/restore | ✅ |
| F15 | Password strength recommendations | ✅ |
| F16 | Auto-detection toggle | ✅ |
Feature Completeness: 16/16 (100%) ✅
Version
1.0.0 - Initial release (2026-02-28)
v1.0.0 Updates
- - ✅ F1-F16 all features implemented
- ✅ 10 OpenClaw tools
- ✅ 45 unit tests
- ✅ Security score: 5.5/10 → 9.0/10
License
MIT
Frequently Asked Questions (FAQ)
Q: What if I forget my password?
A: The master password cannot be recovered if lost. Please backup regularly and store your master password securely.
Q: How do I change my master password?
A: The current version does not support changing the master password. You need to reinitialize and migrate data.
Q: Where is the vault file?
A: �INLINECODE29
Q: How do I view operation logs?
A: Log files are in .logs/detection.jsonl, recording detection events without specific content.
Q: How do I disable sensitive information detection?
A: Edit config.json and set �INLINECODE32
Q: Is the cache file secure?
A: The cache file is encrypted with AES-256-GCM and relies on filesystem permissions for protection.
Q: What entry types are supported?
A: Supports four types: password, token, api_key, secret.
Support
- - Documentation:
SKILL.md, �INLINECODE38 - Testing: �INLINECODE39
- Configuration: �INLINECODE40
password-manager
一个完全本地的OpenClaw密码管理技能,提供安全的凭证存储能力。
特性
- - 🔐 AES-256-GCM加密 - 军用级加密保护
- 🔑 主密码缓存 - 48小时内无需重新输入
- 🎲 密码生成 - 可定制的高强度密码
- 🔍 敏感信息检测 - 自动识别并提示保存
- 📦 完全本地化 - 不依赖外部服务
- 🔄 版本历史 - 支持回滚到之前版本
- 📊 操作审计 - 记录所有操作日志
安装
bash
clawhub install password-manager
快速开始
1. 初始化(首次使用)
bash
password-manager init
设置主密码(建议:12位以上,包含大小写字母、数字和符号)。
2. 添加条目
bash
手动添加
password-manager add --name github --type token --password ghp_xxx
自动生成密码
password-manager add --name aws --type api_key
3. 查看条目
bash
password-manager get --name github --show-password
4. 搜索
bash
password-manager search --query github
password-manager list --type token
5. 生成密码
bash
password-manager generate --length 32
OpenClaw集成
作为OpenClaw技能,提供以下工具:
| 工具 | 功能 | 输入参数 |
|---|
| passwordmanageradd | 添加条目 | name, type, username, password, tags, notes |
| passwordmanagerget |
获取条目 | name, showPassword |
| password
managerupdate | 更新条目 | name, password, username, tags, notes |
| password
managerdelete | 删除条目 | name, confirmed |
| password
managersearch | 搜索条目 | query, type, tag |
| password
managerlist | 列出条目 | type |
| password
managergenerate | 生成密码 | length, includeUppercase, includeNumbers, includeSymbols |
| password
managercheck_strength | 检查强度 | password |
| password
managerstatus | 查看状态 | - |
| password
managerdetect | 检测敏感信息 | text |
| password
managerchange_password | 更改主密码 | oldPassword, newPassword |
使用示例
用户:将我的GitHub令牌保存到密码管理器
代理:🔒 密码管理器已锁定,请提供主密码解锁
用户:my-secret-password
代理:✅ GitHub令牌已保存
用户:我的API密钥是sk-xxxxxxxx
代理:🔍 检测到OpenAI API密钥
是否要保存到密码管理器?
用户:保存
代理:✅ 已保存(条目名称:openai-key)
用户:我想更改主密码
代理:🔐 请提供旧主密码
用户:my-old-password
代理:✅ 密码验证通过。请提供新主密码
用户:my-new-secure-password
代理:✅ 主密码更改成功
保险库已使用新密码重新加密
命令行界面
基本命令
bash
初始化
password-manager init
添加
password-manager add --name <名称> --type <类型> [--password <密码>]
查看
password-manager get --name <名称> [--show-password]
更新
password-manager update --name <名称> --password <新密码>
删除
password-manager delete --name <名称> [--confirm]
搜索
password-manager search --query <关键词> [--type <类型>]
列出
password-manager list [--type <类型>]
生成密码
password-manager generate [--length 32]
检查强度
password-manager check-strength <密码>
状态
password-manager status
锁定/解锁
password-manager lock
password-manager unlock
备份/恢复
password-manager backup --output ~/backup.enc
password-manager restore --input ~/backup.enc
更改主密码
password-manager change-password --old <旧密码> --new <新密码>
选项
条目类型(password/token/api_key/secret) |
| --username | 用户名(可选) |
| --password | 密码/值(未提供时自动生成) |
| --tags | 标签(逗号分隔,可选) |
| --length | 密码长度(默认:32) |
| --show-password | 以明文显示密码 |
| --confirm | 跳过确认(用于敏感操作) |
| --old | 旧主密码(用于change-password) |
| --new | 新主密码(用于change-password) |
高级用法
环境变量支持
对于自动化和CI/CD,可以使用PASSWORDMANAGERMASTER_PASSWORD环境变量:
bash
设置环境变量
export PASSWORD
MANAGERMASTER_PASSWORD=your-master-password
现在无需交互式输入密码
password-manager list
password-manager add --name github --type token --password ghp_xxx
password-manager change-password --old old-pass --new new-pass
安全提示:在共享环境中使用环境变量时需谨慎,因为它们可能在进程列表中可见。
缓存自动重建
当缓存文件丢失或过期时,密码管理器将自动尝试重建:
- 1. 缓存丢失:如果.cache/key.enc不存在,系统将尝试从提供的密码重建
- 环境变量:如果设置了PASSWORDMANAGERMASTER_PASSWORD,将用于缓存重建
- 交互式提示:如果没有环境变量,将提示输入密码
bash
缓存过期后的首次运行
$ password-manager list
🔒 缓存丢失,正在尝试重建...
✅ 缓存重建成功
后续运行(48小时内)
$ password-manager list
✅ 使用缓存密钥(47小时59分钟后过期)
配置
config.json包含合理的默认值,可直接使用。编辑以进行自定义:
json
{
cacheTimeout: 172800, // 主密码缓存超时时间(秒,默认:48小时)
maxHistoryVersions: 3, // 保留的历史版本数量
auditLogLevel: all, // all/sensitive/none
autoDetect: {
enabled: true, // 启用敏感信息检测
sensitivityThreshold: medium,
askBeforeSave: true
},
requireConfirm: {
delete: true,
deleteAll: true,
export: true,
backup: true,
restore: true
},
generator: {
defaultLength: 32,
includeUppercase: true,
includeNumbers: true,
includeSymbols: true
}
}
提示:如果配置修改错误,请参考config.example.json恢复默认值。
安全文档
已实现的安全措施
- 1. AES-256-GCM加密 - 军用级加密保护
- PBKDF2密钥派生 - 100,000次迭代
- 双重加密 - 保险库和缓存分别加密
- 无偏随机数 - 使用crypto.randomInt()
- 输入验证 - 所有入口点进行清理
- 敏感操作确认 - 删除时重新输入密码
- 内存清理 - secureWipe()清除敏感数据
- 审计日志 - 记录操作但不记录内容
安全建议
- 1. 主密码:丢失后无法恢复,请安全存储
- 定期备份:每周备份到外部存储
- 强主密码:使用16位以上随机密码或口令短语
- 及时锁定:长时间不使用时手动锁定
- 保护配置:不要将config.json上传到公共仓库
- 审计日志:定期检查.logs/detection.jsonl
剩余风险
| 风险 | 可能性 | 影响 | 缓解措施 |
|---|
| 缓存文件依赖文件系统权限 | 低 | 中 | 已加密 |
| 内存密钥可能被转储 |
低 | 高 | 已添加secureWipe |
| 主密码丢失无法恢复 | - | 高 | 用户教育 |
文件结构
