ClawHub

api-key-auditor

v1.0.0

扫描 ~/.openclaw/workspace/skills 目录下所有文件中的硬编码 API Key、Token、Secret,检查是否已集成到 openclaw.json env.vars,并可自动将未集成的凭证迁移进去。Use when user asks to audit/check/scan for...

0· 150·0 current·0 all-time
by@lemongggit

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lemongggit/api-key-auditor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "api-key-auditor" (lemongggit/api-key-auditor) from ClawHub.
Skill page: https://clawhub.ai/lemongggit/api-key-auditor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install api-key-auditor

ClawHub CLI

Package manager switcher

npx clawhub@latest install api-key-auditor
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included code and SKILL.md. The script scans ~/.openclaw/workspace/skills, checks ~/.openclaw/openclaw.json, optionally writes found values there, and skips mcporter-managed keys — all coherent with the stated purpose.
Instruction Scope
Instructions and the script operate only on local files (skills directory, ~/.openclaw/openclaw.json, ~/.mcporter/mcporter.json). They do not call external networks or hidden endpoints. Note: the --fix mode will write secrets into openclaw.json (the SKILL.md explains this), and SKILL.md suggests restarting the gateway; run read-only first.
Install Mechanism
Instruction-only skill with a bundled Python script and no install spec; nothing is downloaded or installed automatically.
Credentials
The skill requests no environment variables or external credentials. It legitimately reads local config files. Caution: migrating with --fix stores secret values in plaintext inside openclaw.json, which centralizes secrets and may increase exposure if that file is widely readable.
Persistence & Privilege
The skill is not forced-always, does not modify other skills, and only updates the openclaw.json file when explicitly run with --fix. Autonomous invocation is allowed by default but not combined with other concerning privileges here.
Assessment
Inspect and run in read-only mode first: run the auditor without --fix to review findings. If you use --fix, be aware the script writes the raw secret values into ~/.openclaw/openclaw.json (plaintext); back up that file and ensure its filesystem permissions are restrictive. Review added env var names and manually replace hardcoded values in source files as instructed. Only run --fix if you trust this skill source and understand the tradeoff of centralizing secrets. If unsure, open scripts/audit.py yourself to verify behavior before running.

Like a lobster shell, security has layers — review code before you run it.

latestvk978m0mds65nqwnnm6qqbpndkn837grr
150downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@lemongggit
latest
Download

API Key 审计器

扫描 skills 目录下的硬编码凭证,并输出集成情况报告。

运行方式

# 仅审计(只读,不修改任何文件)
python3 ~/.openclaw/workspace/skills/api-key-auditor/scripts/audit.py

# 自动迁移:将未集成的 key 写入 openclaw.json
python3 ~/.openclaw/workspace/skills/api-key-auditor/scripts/audit.py --fix

参数说明

参数默认值说明
--skills-dir~/.openclaw/workspace/skills扫描目录
--openclaw-json~/.openclaw/openclaw.json目标配置文件
--fix自动写入未集成的 key 到 env.vars

报告输出含义

状态标记含义
✅ 已集成到 openclaw.json凭证已注册为环境变量,安全
🔧 mcporter 管理(无需迁移)该 key 在 ~/.mcporter/mcporter.json 中,由 mcporter 统一管理 MCP server 连接,不需要抽取
⚠️ 未集成凭证硬编码在文件中,建议迁移

迁移工作流

  1. 运行审计,查看 ⚠️ 未集成项
  2. 运行 --fix,脚本自动将 key 写入 openclaw.json env.vars,并给出需要手动替换的文件位置
  3. 在对应文件中将硬编码值替换为环境变量引用:
    • Python:os.environ.get('VAR_NAME')
    • Shell:$VAR_NAME${VAR_NAME}
  4. 重启 OpenClaw 使环境变量生效(openclaw gateway restart
  5. 再次运行审计确认 ✅

设计说明

  • mcporter key 不抽取~/.mcporter/mcporter.json 里的 MCP server URL 中的 ?key= 参数,已由 mcporter 统一管理,不属于需要抽取的硬编码凭证
  • 占位符自动过滤your-api-key-hereREPLACE_ME 等示例值不会误报
  • 只读模式安全:不加 --fix 时,脚本不修改任何文件

Comments

Loading comments...