Secret Manager
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: secret-manager Version: 1.0.0 The skill bundle is classified as benign. The `secret-manager.sh` script's actions, including storing API keys via `secret-tool`, modifying `auth-profiles.json` with Python, importing environment variables to systemd, and restarting the OpenClaw gateway service (including aggressive `pkill -9` within a Distrobox container), are all directly aligned with its stated purpose of securely managing API keys for OpenClaw. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` beyond the legitimate scope of the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are mishandled, a local user or process could gain access to linked third-party accounts or services.
The script supports storing account session cookies and OAuth/client secrets, not only ordinary API keys; these credentials can grant account-level access and are broader than the skill's API-key framing.
[LINKEDIN_LI_AT]="LinkedIn li_at Cookie" [LINKEDIN_JSESSIONID]="LinkedIn JSESSIONID" [GOOGLE_OAUTH_CLIENT_SECRET]="Google OAuth Client Secret"
Only store credentials that are truly needed, avoid session cookies unless explicitly required, and clearly declare the credential types and scopes in the skill metadata and user documentation.
Secrets may be exposed through normal config-file access, backups, sync tools, or other processes that can read the OpenClaw configuration directory.
The script writes the raw credential value into auth-profiles.json outside the keyring. That may be needed for OpenClaw integration, but it is not clearly framed as plaintext persistence.
data['profiles'][profile_id]['key'] = value
with open(path, 'w') as f:
json.dump(data, f, indent=2)Warn users that secrets are written to auth-profiles.json, ensure strict file permissions, and prefer keyring references or safer scoped credential injection where possible.
A user following the documented example could accidentally leave a token in local command history or process-monitoring logs.
The skill presents itself as a secure secret manager but documents passing secrets directly on the command line, which can expose them through shell history or process listings.
**Set a key (direct):** ```bash secret-manager DISCORD_BOT_TOKEN "my-token-value" ```
Prefer the interactive prompt or stdin-only input for secrets, and add a clear warning against passing secrets as command-line arguments.
If that file is modified or the path is redirected, running the skill can execute arbitrary commands as the user.
The script sources a user-configurable env file as shell code. That executes any commands in the file, rather than safely parsing key-value pairs.
if [ -f "$SECRETS_FILE" ]; then
echo "Sourcing secrets from $SECRETS_FILE..."
source "$SECRETS_FILE"
fiParse the env file safely instead of using shell source, or require explicit user confirmation and document that the file is executable shell input.
Secret prefixes could appear in terminal output, chat transcripts, logs, or screenshots if the command is invoked.
The list command prints the first eight characters and length of each configured secret. This is partial disclosure of credential material.
echo " $key = ${val:0:8}... (${#val} chars)"Do not display secret material by default; show only set/not-set status unless the user explicitly requests a reveal.
Updating a secret may disrupt active OpenClaw gateway sessions or tasks.
The script stops, force-kills, and restarts OpenClaw gateway processes. This is aligned with the documented purpose but can interrupt running work.
systemctl --user stop openclaw-gateway.service 2>/dev/null || true pkill -9 -f "openclaw-gateway" 2>/dev/null systemctl --user start openclaw-gateway.service
Run it when service interruption is acceptable, and consider using graceful restart behavior before force-killing processes.
Users have less registry-level assurance about where the executable script came from and how it is intended to be installed.
The registry-level metadata provides limited provenance and says there is no install spec, even though the artifact includes an executable shell script and SKILL.md frontmatter advertises a bash installer.
Source: unknown Install specifications No install spec — this is an instruction-only skill.
Verify the script contents and source before running it, and align the registry install metadata with the SKILL.md installer declaration.