ClawHub

Workspace Audit

v1.1.0

Audit your OpenClaw workspace for drift — stale paths, duplicate content, oversized files, secret leaks, and 1Password vault mismatches. Zero deps. By The Ag...

0· 239·0 current·0 all-time
byThe Agent Wire@theagentwire
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included scripts: structure/size checks, duplication detection, path verification, and an optional 1Password vault cross-check. The declared 'zero deps' claim is accurate in spirit (bash + Python stdlib; 1Password CLI and git are optional). No unrelated credentials or remote services are requested.
Instruction Scope
Scripts operate on local workspace files, run grep/find/git/python, and optionally call the 1Password CLI (op) to list item titles. They do not fetch or transmit file contents to arbitrary external endpoints. Caveat: audit-1password.sh will invoke the user's configured op CLI which will contact 1Password to list items (expected for a vault audit). The scripts also print matching/missing items and file names to stdout — these outputs can surface sensitive metadata (item titles, filenames) into logs or cron emails.
Install Mechanism
No install specification; this is an instruction-and-script bundle. No downloads or archive extraction. The runtime relies on standard system tools (bash, python3) and optionally on op and git if present — all documented in SKILL.md.
Credentials
The skill declares no required env vars and only uses reasonable, optional environment variables (WS, TOOLS_MD, OP_VAULT, AUDIT_CONFIG). It suggests OP_SERVICE_ACCOUNT_TOKEN for 1Password authentication but does not require unrelated secrets or cloud credentials.
Persistence & Privilege
Skill is not forced-always (always:false) and does not modify other skills or system configuration. It is user-invocable and may be run on a schedule if you choose (cron), which is documented; that scheduling is under the user's control.
Assessment
This skill appears to do what it says — scan your local OpenClaw workspace for drift and optionally compare TOOLS.md to your 1Password vault. Before running it: - Review the scripts locally (they're included) and run them interactively first so you can inspect outputs. - Ensure bash and python3 are available; the 1Password check requires the official op CLI and valid authentication (OP_SERVICE_ACCOUNT_TOKEN or op signin) if you want that audit. - Be aware outputs (vault item titles, matching/missing filenames, and detected 'possible secrets') are printed to stdout and could end up in logs, cron emails, or monitoring systems — avoid running in environments where logs are exposed to untrusted parties. - If you schedule it (cron/agent automation), restrict the execution environment and do not expose OP tokens or other secrets to shared runners. Review audit.conf to tune size limits. - If you need stricter privacy, skip the 1Password audit or run the scripts with op disconnected so network calls to 1Password are avoided.

Like a lobster shell, security has layers — review code before you run it.

latestvk9708pk7991wq9py463hfwy8zx82cy7r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments