Skill

password-protect

Use when you need to apply password protection to an NTAG21x or MIFARE tag — set a password to prevent unauthorized reads or writes.

npx claudepluginhub danielrosehill/claude-code-plugins --plugin nfc-ops

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Apply or update password protection on an NFC tag. For NTAG21x tags, configures PWD (password) and PACK (pack) pages and sets the AUTH0 byte to require authentication. For MIFARE Classic tags, changes the key A or key B in a sector. Password is read from user input and never logged in plaintext.

SKILL.md

Similar Skills

cache-components

139.3k

Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.

cache-components

mcp-builder

124.2k

Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).

9 files

anthropics-skills-13

Stats

Stars0

Forks0

Last CommitApr 30, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Password Protect

When to use

You want to lock a tag so only you (with the password) can modify it.
You need to prevent accidental reads or writes to sensitive tags.
Rotating a password on an already-protected tag.

Inputs to gather

Password (new) — prompt user to enter via read -sp (input masked). Do not display or log this value.
For MIFARE Classic only: Which key (A or B) to update? Which sector(s)? (Default: all sectors, key A).
Confirm: Display "You are about to protect this tag with a password. This action is irreversible if the password is lost. Continue? (yes/no)".

Procedure

Verify nfc-list is available.
Prompt user to present the tag.
Run nfc-list to detect the tag and identify its type. Fail if no tag is detected.
For NTAG21x (213, 215, 216):
- Prompt for password (masked input).
- Compute PWD value (user-supplied, or derive from input if a schema is used — specify the derivation method).
- Compute PACK value (typically a 2-byte challenge-response; use a standard or prompt user).
- Read the current AUTH0 byte (usually page 2, byte 3).
- Write PWD to page 43 (4 bytes) and PACK to page 44 (2 bytes).
- Write AUTH0 to enable read/write protection starting from page 5 (or page specified by user).
- Read back to confirm writes succeeded.
- Log (no plaintext password): timestamp, UID, action="password_protect", "auth0_set_to_<page_number>", status="success".
For MIFARE Classic:
- Prompt for password (masked input).
- Prompt which key (A or B) and which sector(s) to protect (default: all, key A).
- Run nfc-mfclassic write with the new key in the sector trailers.
- Read back sector trailer to verify the key change took effect.
- Log (no plaintext password): timestamp, UID, action="key_update", sector_range, key_letter, status="success".
Display confirmation: "Tag UID is now password-protected. Please save your password in a secure location."

Output / side effects

The tag now requires the password for further reads/writes.
${CLAUDE_USER_DATA:-${XDG_DATA_HOME:-$HOME/.local/share}/claude-plugins}/nfc-ops/state/write-log.jsonl is appended with a password-protection entry (no plaintext password).
User must remember the password; there is no recovery method.

Safety / constraints

IRREVERSIBLE: If the user forgets the password, the tag is permanently locked and unusable. Strongly warn before confirming.
No plaintext logging: The password is never written to any log file, terminal history, or cache. Only the fact that protection was applied is logged.
Backup before protect: Suggest the user run read-tag and save the current content before applying protection, in case they need to restore later.
PACK derivation: If PACK is computed from the password, document the formula so the user can recreate it if needed. If PACK is arbitrary, allow the user to specify or generate randomly.