ClawHub

Log Scrubber

v1.0.2

Automatically redacts API keys, tokens, and secrets from workspace logs and memory files.

0· 162·0 current·0 all-time
by@heather-herbert
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (redact API keys/tokens from workspace logs and memory) matches the shipped code and SKILL.md. The script only reads /root/.openclaw/workspace/{memory,logs} and MEMORY.md and performs regex-based redaction — these are proportionate to the stated purpose.
Instruction Scope
SKILL.md and the script consistently instruct scanning the workspace and offer a dry-run. The script modifies files in-place (saving .bak backups) as documented. There is no instruction to read unrelated system files, environment variables, or to transmit data externally. Note: it operates recursively on all files under the target dirs and opens files as UTF-8 text — this may produce errors or miss non-text files, but that is an implementation detail rather than scope creep.
Install Mechanism
Instruction-only skill with one included Python script and no install spec. No external downloads or package installation steps are present, so nothing is written to disk beyond the script itself and its normal runtime backups.
Credentials
No environment variables, credentials, or external endpoints are requested. The only resources accessed are the workspace paths declared in SKILL.md and the script. This access is consistent with the purpose.
Persistence & Privilege
always is false and the skill does not request elevated privileges or modify other skills or global agent configuration. It does persist changes to workspace files (and creates .bak backups), which is expected for a redaction tool and is disclosed in SKILL.md.
Assessment
This skill appears internally consistent and performs local redaction as described, but take these precautions before enabling it: 1) Run the --dry-run first to see what would be changed. 2) Back up important files (the script creates .bak files but keep your own backups). 3) Review the regex patterns to ensure they match your secret formats and to reduce false positives/negatives. 4) Be aware it opens files as UTF-8 text and will attempt to rewrite any file under memory/ and logs/ (binary files could error or be corrupted). 5) Verify you trust the source (homepage points to a repo) before installing — the code is simple and local, but always prudent to confirm provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fyv7gyg3ww5ca7svjzjrqsn82vevpmaintenancevk97fyv7gyg3ww5ca7svjzjrqsn82vevpsecurityvk97fyv7gyg3ww5ca7svjzjrqsn82vevp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments