ClawHub

API credentials hygiene

v1.0.0

Audits and hardens API credential handling (env vars, separation, rotation plan, least privilege, auditability). Use when integrating services or preparing production deployments where secrets must be managed safely.

2· 2.4k·4 current·4 all-time
by@kowl64
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, inputs, and outputs are consistent: the SKILL.md asks for lists of integrations/config snippets and produces credential maps, rotation runbooks, and templates — all coherent with an 'API credentials hygiene' auditor.
Instruction Scope
Instructions stay within the claimed scope: inventory credentials, propose env var mappings, rotation plans, and audit logs. It accepts optional config snippets and explicitly warns not to output real secrets and to be read-only by default. There are no instructions to read arbitrary system paths or send data to external endpoints.
Install Mechanism
No install spec and no codefiles — instruction-only. This minimizes disk and execution risk (lowest-risk category).
Credentials
Skill does not request any environment variables or credentials in its metadata. However, many of its recommended actions (moving secrets to a secret manager, updating deployment configs) could require credentials or elevated access if the user asks the agent to perform changes. The skill itself does not ask for those secrets — exercise caution if you provide secret-manager/API credentials to the agent later.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent presence or to modify other skills or system-wide settings.
Assessment
This skill appears coherent and low-risk as distributed: it only provides auditing guidance and templates and does not request credentials or install software. Before using it, do not paste real secrets — provide redacted or placeholder config snippets. If you ask the agent to apply changes (e.g., update deployment files or call your secret manager), do not hand over secret-manager/API keys unless you trust the agent runtime and have scoped credentials (least privilege, short-lived tokens). Prefer manual review/approval of any runbook or file modifications, and ensure outputs contain placeholders (as the skill requires) rather than real tokens. If you need legal/compliance sign-off, obtain that outside this tool — the skill explicitly says it is technical guidance only.

Like a lobster shell, security has layers — review code before you run it.

latestvk976hbgr87qe8593ejkt54qddn7zckxr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments