canary

What This Skill Does

Canary acts as the primary security layer for your OpenClaw environment, functioning as an early warning system for exposed secrets. It is designed to proactively identify and mitigate the risks of credential leakage, which is a common hazard when working with AI agents that have broad file system access. Canary operates using two distinct scan profiles: a silent 'Light Scan' that triggers on every system startup to ensure no immediate, high-risk credentials are world-readable, and a comprehensive 'Deep Scan' that performs an exhaustive audit of your local workspace, session histories, and sensitive configuration directories. By analyzing patterns and heuristic data, it alerts you to the presence of API keys, SSH keys, cloud provider tokens, and plaintext passwords, then offers an automated path to resolution.

Installation

To integrate Canary into your OpenClaw environment, execute the following command in your terminal or via the OpenClaw command interface:

clawhub install openclaw/skills/skills/sukiraman/canary

Once installed, the skill will immediately register its startup hooks to ensure your environment is secured from the next boot cycle forward.

Use Cases

Canary is essential for developers, data scientists, and power users who utilize AI agents. Primary use cases include:

• Post-development cleanup: Scanning a project directory before pushing code to a public repository to ensure no .env files contain active secrets.
• Security auditing: Identifying stale or accidentally hardcoded credentials in skill directories that may have been copied over from legacy projects.
• Compliance checks: Ensuring that sensitive local files, such as ~/.ssh or cloud config files, maintain proper Unix permissions and are not accessible by other system users.
• Incident response: If you suspect you may have accidentally pasted an API token into a chat window or shell command, running a Deep Scan can pinpoint exactly where that data was written to disk.

Example Prompts

• "Canary, run a full security deep scan on my current project directory and report any risks."
• "Canary, check if I have any exposed API keys in my recent shell history or local .env files."
• "Canary, list all current security findings and help me revoke any compromised secrets found."

Tips & Limitations

Canary is a powerful tool, but it should not be your only line of defense. Always employ environment variables and vault solutions (like HashiCorp Vault or AWS Secrets Manager) for production-grade secrets. While Canary is excellent at identifying risks, it cannot prevent you from inputting secrets into third-party, non-secure web interfaces. Ensure you review the 'fix' proposals carefully before confirming, as automated remediation can occasionally alter file permissions or move files that you might need for specific, non-standard workflows. Use the tool regularly to maintain a high-security posture.