Secret Manager
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill fits its secret-management purpose, but it handles powerful credentials and session cookies in ways that can expose or persist them without enough warning or scoping.
Review this skill carefully before installing. It may be useful for OpenClaw secret setup, but use the interactive prompt instead of direct command-line values, confirm the OpenClaw config directory permissions, avoid storing browser session cookies unless absolutely necessary, and inspect the env file before allowing it to be sourced.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are mishandled, a local user or process could gain access to linked third-party accounts or services.
The script supports storing account session cookies and OAuth/client secrets, not only ordinary API keys; these credentials can grant account-level access and are broader than the skill's API-key framing.
[LINKEDIN_LI_AT]="LinkedIn li_at Cookie" [LINKEDIN_JSESSIONID]="LinkedIn JSESSIONID" [GOOGLE_OAUTH_CLIENT_SECRET]="Google OAuth Client Secret"
Only store credentials that are truly needed, avoid session cookies unless explicitly required, and clearly declare the credential types and scopes in the skill metadata and user documentation.
Secrets may be exposed through normal config-file access, backups, sync tools, or other processes that can read the OpenClaw configuration directory.
The script writes the raw credential value into auth-profiles.json outside the keyring. That may be needed for OpenClaw integration, but it is not clearly framed as plaintext persistence.
data['profiles'][profile_id]['key'] = value
with open(path, 'w') as f:
json.dump(data, f, indent=2)Warn users that secrets are written to auth-profiles.json, ensure strict file permissions, and prefer keyring references or safer scoped credential injection where possible.
A user following the documented example could accidentally leave a token in local command history or process-monitoring logs.
The skill presents itself as a secure secret manager but documents passing secrets directly on the command line, which can expose them through shell history or process listings.
**Set a key (direct):** ```bash secret-manager DISCORD_BOT_TOKEN "my-token-value" ```
Prefer the interactive prompt or stdin-only input for secrets, and add a clear warning against passing secrets as command-line arguments.
If that file is modified or the path is redirected, running the skill can execute arbitrary commands as the user.
The script sources a user-configurable env file as shell code. That executes any commands in the file, rather than safely parsing key-value pairs.
if [ -f "$SECRETS_FILE" ]; then
echo "Sourcing secrets from $SECRETS_FILE..."
source "$SECRETS_FILE"
fiParse the env file safely instead of using shell source, or require explicit user confirmation and document that the file is executable shell input.
Secret prefixes could appear in terminal output, chat transcripts, logs, or screenshots if the command is invoked.
The list command prints the first eight characters and length of each configured secret. This is partial disclosure of credential material.
echo " $key = ${val:0:8}... (${#val} chars)"Do not display secret material by default; show only set/not-set status unless the user explicitly requests a reveal.
Updating a secret may disrupt active OpenClaw gateway sessions or tasks.
The script stops, force-kills, and restarts OpenClaw gateway processes. This is aligned with the documented purpose but can interrupt running work.
systemctl --user stop openclaw-gateway.service 2>/dev/null || true pkill -9 -f "openclaw-gateway" 2>/dev/null systemctl --user start openclaw-gateway.service
Run it when service interruption is acceptable, and consider using graceful restart behavior before force-killing processes.
Users have less registry-level assurance about where the executable script came from and how it is intended to be installed.
The registry-level metadata provides limited provenance and says there is no install spec, even though the artifact includes an executable shell script and SKILL.md frontmatter advertises a bash installer.
Source: unknown Install specifications No install spec — this is an instruction-only skill.
Verify the script contents and source before running it, and align the registry install metadata with the SKILL.md installer declaration.