OpenClaw Credential Manager
WarnAudited by ClawScan on May 10, 2026.
Overview
The provided code does not show credential exfiltration, but it broadly gathers and persists local secrets, keeps plaintext backups, and uses forceful “mandatory” framing, so it needs careful review before use.
Only use this if you intentionally want to centralize OpenClaw credentials. Review scan output first, avoid --yes for the first migration, do not run cleanup until you have tested the new .env and verified encrypted or removable backups, and inspect the complete package source before using it with wallet, cloud, payment, or production keys.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Cloud keys, wallet keys, payment tokens, and unrelated app credentials could be concentrated into one file readable by any process running as the same user.
The skill intentionally aggregates credentials from broad local locations into one OpenClaw file, not just narrowly scoped OpenClaw-specific secrets.
“THE RULE: All credentials MUST be in `~/.openclaw/.env` ONLY” and scans “~/.config/*/credentials.json”, “~/.local/share/*/credentials.json”, and “~/.env (if exists, merges)”
Review scan results before consolidation, avoid auto-confirming, restrict migration to credentials OpenClaw actually needs, and preserve least-privilege per-service tokens where possible.
Sensitive credentials may remain duplicated in ~/.openclaw/backups as plaintext .bak files, increasing the number of places an attacker or local process could target.
Backups are created by copying credential files and then changing permissions; the provided code does not encrypt those backup copies.
shutil.copy2(file, backup_path) os.chmod(backup_path, 0o600)
Encrypt backups, minimize retention, verify backup permissions, and delete plaintext backups once the migration is verified.
A user or agent may over-trust the skill and centralize or remove credentials without considering whether that is appropriate for the environment.
The wording pressures the user or agent to treat this unknown-source skill as authoritative for high-impact credential migration.
“This Is Not Optional” ... “stop and consolidate them now” ... “No exceptions.”
Treat the migration as a deliberate administrative action, require explicit user approval, and explain the trade-offs before running consolidation or cleanup.
If run too early or against unintended files, the user could lose credential files needed by other tools.
The cleanup script can permanently delete credential files, but it requires --confirm plus a typed DELETE confirmation.
response = input("\n Type 'DELETE' to confirm: ") ... f.unlink()Run cleanup in dry-run mode first, verify that consolidation and backups succeeded, and do not delete unrelated service credentials.
Secrets may briefly exist in a temporary local file, and the GPG passphrase may be supplied through an environment variable for automation.
GPG subprocess execution and a temporary plaintext secrets file are expected for the encryption feature, but they are still sensitive operations.
tmp_file = secrets_file.parent / '.env.secrets.tmp' ... subprocess.run(['gpg', '-c', '--batch', '--yes', '--cipher-algo', 'AES256', ...])
Use a trusted local GPG installation, ensure ~/.openclaw permissions are locked down, and avoid leaving OPENCLAW_GPG_PASSPHRASE set longer than necessary.
Users have less external provenance to rely on when deciding whether to trust code that handles secrets.
The skill has limited provenance metadata despite being a credential-management package with executable scripts.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: 8 code file(s)
Install only from a trusted registry/source and inspect the complete script set before running it on real credentials.