Privacy Guard
v0.3.0自动检测OpenClaw日志中的API密钥、密码、身份证等敏感信息泄露,分级报警并支持交互确认和白名单管理。
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (detect sensitive data in OpenClaw logs) matches the implemented behavior: the script searches OpenClaw log files for API keys, passwords, IDs, phone numbers, etc. Required resources (none) are proportional to the stated purpose.
Instruction Scope
SKILL.md only instructs running the included Python script. The script reads log files from a local OpenClaw log directory and persists detection results and user whitelist locally. Be aware the code stores a content_preview (up to ~100 chars) of matched lines in suspicious.json/whitelist files — these previews can include sensitive substrings.
Install Mechanism
No install spec; this is an instruction+script package. No downloads or foreign package installation are present in the provided files.
Credentials
The skill declares no required environment variables or credentials. It does read os.environ.get('LOCALAPPDATA') to build a default log path; otherwise it doesn't request secrets. The config contains an optional feishu_webhook field and README mentions Feishu notifications if configured — enabling that would send alerts to an external endpoint, so ensure any webhook is trusted and contains only metadata you accept sending.
Persistence & Privilege
The script persists whitelist.json, suspicious.json, and report/alert files in the skill directory (normal). It is not always:true and does not modify other skills. Consider that persisted previews may include secret fragments and remain on disk until removed.
Scan Findings in Context
[embedded_api_key_in_repo_files] unexpected: alert_log.md (included in the package) contains an apparent API key string starting with 'sk-' in the visible excerpt. While the scanner pre-scan flags were empty, the repository itself holds examples/extracted secrets — this is not required for the tool's operation and may indicate leftover sensitive data in the package.
Assessment
This skill appears to do what it says: locally scan OpenClaw logs and keep a pending-review list and whitelist. Before installing or running it: 1) Inspect the full privacy_guard.py for any network calls (search for 'requests', 'urllib', 'socket', 'http', 'feishu', 'webhook') — the README and config mention an optional Feishu webhook; leave it blank unless you trust the endpoint. 2) Be aware that the tool stores a content_preview (up to ~100 chars) of matched lines in suspicious.json and alert_log.md — those previews can contain secrets; if you want strict non-persistence, modify the code to store only hashes or metadata. 3) Remove any embedded secrets found in the packaged files (alert_log.md contains an sk- key example) before sharing or deploying. 4) Run the script in a controlled environment first and review generated suspicious.json/alert_log.md to confirm the stored data is acceptable. If you want, share the remainder of privacy_guard.py (the truncated portions) and I can re-check specifically for outbound network calls or hidden behaviors.Like a lobster shell, security has layers — review code before you run it.
latestvk970sz5x2w5mez001e5bmpqkpx84mzw7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.