MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Includes GPG encryption for high-value secrets, credential rotation tracking, deep scanning, and backup hardening. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments.
数据来源:ClawHub。 在 ClawSkills 查看
选择你使用的 Agent
方法一:命令行安装(推荐)
推荐(无需提前安装 clawhub)
npx clawhub@latest --dir ~/.claude/skills install openclaw-credential-manager或使用 clawhub CLI(需提前安装)
clawhub --dir ~/.claude/skills install openclaw-credential-manager⚠️ 需要 Node.js 18+,没有 Node?请使用下方方法二直接下载 ZIP。 安装 Node.js →
方法二:手动下载安装(无需 Node)
下载 ZIP,解压后将文件夹放到以下路径,重启 Agent 即可:
安装路径
~/.claude/skills/openclaw-credential-manager/💡解压后将文件夹放到上方路径,重启 Agent 即可生效
--- name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Includes GPG encryption for high-value secrets, credential rotation tracking, deep scanning, and backup hardening. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. ---
STATUS: MANDATORY SECURITY FOUNDATION
Consolidate scattered API keys and credentials into a secure, centralized .env file.
Centralized .env credential management is a core requirement for OpenClaw security. If your credentials are scattered across multiple files, stop and consolidate them now.
THE RULE: All credentials MUST be in ~/.openclaw/.env ONLY. No workspace, no skills, no scripts directories.
See:
Every OpenClaw deployment MUST have:
~/.openclaw/.env (mode 600)
This is your single source of truth for all credentials. No exceptions.
Why?
Scattered credentials = scattered attack surface. This skill fixes that.
~/.openclaw/.envThe skill automatically detects credentials by scanning for:
File Patterns:
~/.config/*/credentials.json — Service config directories~/.config//.credentials.json — Nested credential files~/.openclaw/*.json — Credential files in OpenClaw root~/.openclaw/-credentials — Named credential files (e.g., farcaster-credentials.json)~/.openclaw/workspace/memory/*-creds.json — Memory credential files~/.openclaw/workspace/memory/credentials.json — Memory credential files~/.openclaw/workspace/.env — Workspace env files~/.openclaw/workspace/*/.env — Subdirectory env files~/.openclaw/workspace/skills/*/.env — Skill env files~/.local/share/*/credentials.json — Local share directoriesSensitive Key Patterns:
Deep Scan (--deep flag):
.sh, .js, .py, .mjs, .ts files for hardcoded secretssk_, pk_, Bearer, 0x + 64 hex)node_modules/, .git/Security Checks:
600 for files, 700 for directories)600 for backup files, 700 for backup dirs)0x + 64 hex char values)# Scan for credentials
./scripts/scan.py
# Deep scan (includes hardcoded secrets in scripts)
./scripts/scan.py --deep
# Review and consolidate
./scripts/consolidate.py
# Validate security
./scripts/validate.py
# Encrypt high-value secrets
./scripts/encrypt.py --keys MAIN_WALLET_PRIVATE_KEY,CUSTODY_PRIVATE_KEY
# Check rotation status
./scripts/rotation-check.py
# Scan only
./scripts/scan.py
# Consolidate specific service
./scripts/consolidate.py --service x
# Backup without removing
./scripts/consolidate.py --backup-only
# Clean up old files
./scripts/cleanup.py --confirm
The skill scans these locations:
~/.config/*/credentials.json
~/.openclaw/*.json
~/.openclaw/*-credentials*
~/.openclaw/workspace/memory/*-creds.json
~/.openclaw/workspace/memory/*credentials*.json
~/.openclaw/workspace/*/.env
~/.openclaw/workspace/skills/*/.env
~/.env (if exists, merges)
✅ File permissions: Sets .env to mode 600 (owner only) ✅ Directory permissions: Sets backup dirs to mode 700 (owner only) ✅ Backup permissions: Sets backup files to mode 600 (owner only) ✅ Git protection: Creates/updates .gitignore ✅ Backups: Timestamped backups before changes (secured) ✅ Validation: Checks format, permissions, entropy, and duplicates ✅ Template: Creates .env.example (safe to share) ✅ GPG encryption: Encrypts high-value secrets at rest ✅ Rotation tracking: Warns when credentials need rotation ✅ Deep scan: Detects hardcoded secrets in source files ✅ Symlink-aware: Validates symlinked .env targets
After migration:
~/.openclaw/
├── .env # All credentials (secure, mode 600)
├── .env.secrets.gpg # GPG-encrypted high-value keys (mode 600)
├── .env.meta # Rotation metadata (mode 600)
├── .env.example # Template (safe to share)
├── .gitignore # Protects .env and .env.secrets.gpg
└── backups/ # (mode 700)
└── credentials-old-YYYYMMDD/ # (mode 700)
└── *.bak # Backup files (mode 600)
Private keys, wallet keys, and mnemonics should never exist as plaintext on disk. Use GPG encryption for these.
# First-time setup (generates OpenClaw GPG key, configures agent cache)
./scripts/setup-gpg.sh
# Encrypt specific keys (moves them from .env to .env.secrets.gpg)
./scripts/encrypt.py --keys MAIN_WALLET_PRIVATE_KEY,CUSTODY_PRIVATE_KEY,SIGNER_PRIVATE_KEY
# The .env will contain placeholders:
# MAIN_WALLET_PRIVATE_KEY=GPG:MAIN_WALLET_PRIVATE_KEY
The enforce.py module handles this transparently:
from enforce import get_credential
# Works for both plaintext and GPG-encrypted keys
key = get_credential('MAIN_WALLET_PRIVATE_KEY')
# If value starts with "GPG:", decrypts from .env.secrets.gpg automatically
On headless servers (VPS), the GPG agent caches the passphrase:
setup-gpg.sh| Key Type | Encrypt? | Why | |----------|----------|-----| | Wallet private keys | ✅ Yes | Controls funds | | Custody/signer private keys | ✅ Yes | Controls identity | | Mnemonics / seed phrases | ✅ Yes | Master recovery | | API keys (services) | ❌ No | Revocable, low damage | | Agent IDs, names, URLs | ❌ No | Not secrets |
# Initialize rotation tracking for all keys
./scripts/rotation-check.py --init
...
安装 OpenClaw Credential Manager 后,可以对 AI 说这些话来触发它
Help me get started with OpenClaw Credential Manager
Explains what OpenClaw Credential Manager does, walks through the setup, and runs a quick demo based on your current project
Use OpenClaw Credential Manager to mANDATORY security foundation for OpenClaw
Invokes OpenClaw Credential Manager with the right parameters and returns the result directly in the conversation
What can I do with OpenClaw Credential Manager in my developer & devops workflow?
Lists the top use cases for OpenClaw Credential Manager, with example commands for each scenario
将技能文件夹放到 ~/.claude/skills/openclaw-credential-manager/ 目录(个人级,所有项目可用),或 .claude/skills/openclaw-credential-manager/(项目级)。重启 AI 客户端后,用 /openclaw-credential-manager 主动调用,或让 AI 根据上下文自动发现并使用。
OpenClaw Credential Manager 支持 Claude、Cursor、OpenClaw,可与这些 AI 平台无缝集成,扩展其能力。
OpenClaw Credential Manager 可免费安装使用。请查阅仓库了解许可证信息。
MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Includes GPG encryption for high-value secrets, credential rotation tracking, deep scanning, and backup hardening. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments.
Automate my developer & devops tasks using OpenClaw Credential Manager
Identifies repetitive steps in your workflow and sets up OpenClaw Credential Manager to handle them automatically
OpenClaw Credential Manager 属于「Developer & DevOps」分类,该分类的技能帮助 AI 智能体在此领域执行专业任务。