openclaw-vault

What This Skill Does

OpenClaw Vault is a comprehensive security auditing utility designed to monitor the entire lifecycle of credentials within your development workspace. Unlike traditional secret scanners that focus solely on hardcoded strings within source files, Vault analyzes the contextual exposure of credentials. It identifies risks stemming from insecure system permissions, sensitive data trapped in shell histories, misconfigured Git remote URLs, hardcoded secrets in configuration files (JSON, YAML, TOML, INI), application logs, and even secrets baked into Docker container images. By tracking the age and accessibility of these credentials, OpenClaw Vault provides a holistic view of your security posture, helping developers move beyond simple detection and into proactive credential lifecycle management.

Installation

To integrate this skill into your environment, run the following command in your terminal:

clawhub install openclaw/skills/skills/atlaspa/openclaw-vault

Ensure that you have python3 installed and that your environment variables are configured to allow the script access to your workspace. The tool automatically detects your workspace based on the OPENCLAW_WORKSPACE variable, the current directory (if an AGENTS.md file is present), or the default path at ~/.openclaw/workspace.

Use Cases

• Security Audits: Run a full credential audit before pushing code to a shared repository to ensure no secrets have leaked into environment files or logs.
• Continuous Compliance: Periodically inventory credentials to identify 'stale' tokens that have not been rotated, meeting standard security compliance requirements.
• System Hardening: Use the exposure check command to identify if your .env or configuration files have overly permissive file permissions that could be read by other system users.
• CI/CD Cleanup: Audit Docker images or temporary config files to ensure no sensitive build-time credentials were left behind in the container filesystem.

Example Prompts

1. "OpenClaw, please run a full credential audit on my current workspace and show me which tokens are older than 90 days."
2. "Can you perform an exposure check to see if I have accidentally left any credentials in my bash history or log files?"
3. "Generate an inventory of all API keys and database URIs found in this project and flag any that have insecure read permissions."

Tips & Limitations

• Permissions: Ensure the user running the Vault script has read access to the directories being scanned, or results may be incomplete.
• False Positives: While highly effective at identifying exposure vectors, always verify findings manually. The tool is designed to highlight risks, not necessarily perform automated remediations.
• Performance: For very large workspaces, the full audit may take some time. Use the status command for a quick health check rather than running a full scan for trivial updates.