ClawHub

api-key-auditor

v1.0.0

扫描 ~/.openclaw/workspace/skills 目录下所有文件中的硬编码 API Key、Token、Secret,检查是否已集成到 openclaw.json env.vars,并可自动将未集成的凭证迁移进去。Use when user asks to audit/check/scan for...

0· 90·0 current·0 all-time
by@lemongggit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included code and SKILL.md. The script scans ~/.openclaw/workspace/skills, checks ~/.openclaw/openclaw.json, optionally writes found values there, and skips mcporter-managed keys — all coherent with the stated purpose.
Instruction Scope
Instructions and the script operate only on local files (skills directory, ~/.openclaw/openclaw.json, ~/.mcporter/mcporter.json). They do not call external networks or hidden endpoints. Note: the --fix mode will write secrets into openclaw.json (the SKILL.md explains this), and SKILL.md suggests restarting the gateway; run read-only first.
Install Mechanism
Instruction-only skill with a bundled Python script and no install spec; nothing is downloaded or installed automatically.
Credentials
The skill requests no environment variables or external credentials. It legitimately reads local config files. Caution: migrating with --fix stores secret values in plaintext inside openclaw.json, which centralizes secrets and may increase exposure if that file is widely readable.
Persistence & Privilege
The skill is not forced-always, does not modify other skills, and only updates the openclaw.json file when explicitly run with --fix. Autonomous invocation is allowed by default but not combined with other concerning privileges here.
Assessment
Inspect and run in read-only mode first: run the auditor without --fix to review findings. If you use --fix, be aware the script writes the raw secret values into ~/.openclaw/openclaw.json (plaintext); back up that file and ensure its filesystem permissions are restrictive. Review added env var names and manually replace hardcoded values in source files as instructed. Only run --fix if you trust this skill source and understand the tradeoff of centralizing secrets. If unsure, open scripts/audit.py yourself to verify behavior before running.

Like a lobster shell, security has layers — review code before you run it.

latestvk978m0mds65nqwnnm6qqbpndkn837grr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments