ClawHub

Credential Hygiene Validator

v1.0.0

Checks whether credentials and tokens are stored safely. Validates file permissions, plaintext exposure, git repo contamination, log redaction coverage, and...

0· 300·1 current·1 all-time
byOnyedika Christopher Agada@techris93
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actions: scanning files, checking git status, and inspecting permissions. Minor inconsistency: registry metadata declares no required config paths, but the SKILL.md hard-codes ~/.openclaw and ~/.gitignore as targets — this is coherent with the described OpenClaw focus but should be declared explicitly in metadata.
Instruction Scope
SKILL.md only runs local, read-only commands (stat, grep, git, find, ls) against the user's home dotfiles and logs. These actions are within the declared purpose (permission checks, token pattern scanning, git/gitignore checks). It does not transmit data externally. Note: the grep patterns are broad and may produce false positives and the use of grep -P (PCRE) may not be available on all platforms.
Install Mechanism
Instruction-only skill with no install spec or code to download — lowest install risk.
Credentials
The skill requests no environment variables or credentials. The binaries it requires (grep, stat, git) are appropriate for the described checks.
Persistence & Privilege
always:false and normal model invocation settings. The skill does not request permanent presence or modify other skills/configuration.
Assessment
This skill appears to do exactly what it claims: read-only local checks for credential hygiene. Before installing or invoking it, review the SKILL.md to confirm the hard-coded paths (~/.openclaw, ~/.gitignore, logs) match what you want inspected. Be aware the grep patterns are broad and can yield false positives; test the commands manually in a safe environment first. Ensure your agent runs with the least privilege necessary (not as root) so it only examines your user files. If you want it to scan different directories, either edit the prompts or run the commands locally yourself rather than granting an agent broad access.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsgrep, stat, git
latestvk97cdrwnvf3pfetp7srv9hfp798262va
300downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Onyedika Christopher Agada@techris93
latest
Download

Credential Hygiene Validator

Checks whether credentials and tokens in config files are stored with reasonable hygiene. Catches common mistakes before they become incidents.

What it checks

  1. File permissions -- config files should be 600 or 700, not world-readable
  2. Plaintext tokens -- scans for hex tokens, JWTs (base64url with dots), Bearer strings, and API keys
  3. Git repo contamination -- whether the config directory sits inside a git working tree
  4. Gitignore coverage -- whether .gitignore excludes credential paths
  5. Log file leaks -- tokens appearing in log output (checks all formats: hex, JWT, Bearer per RFC 6750)
  6. Token age -- warns if tokens have not been rotated recently
  7. Atomic write safety -- checks if config backup exists (indicator of safe write patterns)

When to use it

  • After setting up a new tool or service
  • Before pushing dotfiles to a public repo
  • As part of a regular security hygiene review
  • When onboarding a new machine
  • After rotating credentials, to confirm the old token is gone

Example prompts

  • "Check if my OpenClaw tokens are stored safely"
  • "Audit my dotfiles for leaked credentials"
  • "Is my config directory in a git repo?"
  • "Check file permissions on my credentials"
  • "Are my tokens showing up in any log files?"

Checks run

# 1. File permissions
stat -c '%a %n' ~/.openclaw/openclaw.json
# Expected: 600

# 2. Plaintext tokens (full token68 charset per RFC 7235)
grep -rnP '("token"\s*:\s*")[^"]{8,}"|[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/ --include="*.json" 2>/dev/null

# 3. Git repo check
git -C ~/.openclaw rev-parse --is-inside-work-tree 2>/dev/null
# Expected: error (not in a repo)

# 4. Gitignore coverage
grep -q '.openclaw' ~/.gitignore 2>/dev/null && echo "covered" || echo "not covered"

# 5. Log file leaks (full token68 charset)
grep -rnP '[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/logs/ --include="*.log" 2>/dev/null

# 6. Token age (check config file modification time)
find ~/.openclaw/openclaw.json -mtime +90 -print 2>/dev/null
# If output: token has not been rotated in 90+ days

# 7. Backup file exists (atomic write indicator)
ls ~/.openclaw/openclaw.json.bak 2>/dev/null && echo "backup present" || echo "no backup"

Notes

  • Read-only checks, does not modify any files
  • Token patterns match hex, JWT (header.payload.signature), base64url, and Bearer headers case-insensitively per RFC 6750
  • Works with any tool that stores credentials in dotfiles
  • Aligns with T-ACCESS-003 in the OpenClaw threat model

References

Comments

Loading comments...