← Back to Skills Marketplace
API Key Guardian
by
xiaohuaishu
· GitHub ↗
· v1.0.0
· MIT-0
327
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install api-key-guardian
Description
API密钥和敏感信息安全扫描。检测代码库中泄露的API key、密码、token,支持git历史扫描,提供AI风险分析和修复建议。当需要检查项目安全性、防止密钥泄露时使用。
README (SKILL.md)
API Key Guardian 🔐
扫描代码库中的敏感信息,防止 API key、密码、token 泄露。
使用方法
# 扫描当前目录
python3 guardian.py
# 扫描指定目录
python3 guardian.py --path /your/project
# 扫描单个文件
python3 guardian.py --file .env
# 扫描 git 历史
python3 guardian.py --git-history
# 启用 AI 风险分析(需要 OpenClaw 代理运行)
python3 guardian.py --ai
检测类型
- OpenAI / Anthropic / Google / AWS / GitHub / Stripe API Keys
- ClawHub Token
- RSA 私钥
- 数据库连接字符串
- 通用密码/Secret 硬编码
Usage Guidance
This skill implements a secret scanner and a built-in AI analysis step. Before running it on real repositories: 1) Inspect guardian.py and remove or rotate the hard-coded API key; do not deploy code containing embedded secrets. 2) If you plan to use the --ai option, verify what local service should be listening on 127.0.0.1:18790 and why a fixed x-api-key is present; prefer configuring an API key via environment variables or the OpenClaw agent rather than an in-file secret. 3) Ensure git is available (the script calls git) and consider running the scanner in an isolated environment (container/machine) when scanning sensitive repos. 4) If you cannot validate the embedded key or the local proxy, avoid using --ai and run the scanner only after manual review. 5) Prefer installing/using a well-audited scanner from a known source; lack of homepage/source and the embedded credential increase risk.
Capability Analysis
Type: OpenClaw Skill
Name: api-key-guardian
Version: 1.0.0
The skill is a security utility designed to scan local directories and git history for leaked API keys and sensitive information (OpenAI, AWS, GitHub, etc.). It uses regex patterns defined in `patterns.py` and provides a masked report to the user. While `guardian.py` contains a hardcoded API key and sends data to a local endpoint (127.0.0.1:18790) for AI-based risk analysis, it only transmits metadata (file names and line numbers) rather than the actual secrets, and the local address suggests integration with a local AI proxy rather than remote exfiltration.
Capability Assessment
Purpose & Capability
Name/description match the code: the Python scripts implement repo and git-history scanning and an optional AI analysis step. Requested runtime binary (python3) is appropriate. However, the code calls git via subprocess (git must exist) but the SKILL metadata only declared python3 — that's an omission. Also the script embeds a hard-coded API key and a local AI endpoint for the analysis step, which is unexpected for a scanner and not declared in requirements.
Instruction Scope
SKILL.md instructs running guardian.py and optionally enabling AI analysis. The code does exactly that, scanning files and git history. But the AI analysis function performs an HTTP POST to http://127.0.0.1:18790/anthropic/v1/messages using a hard-coded x-api-key value. The instructions do not mention this embedded key, the local proxy requirement, or what that key is for — creating a gap between documented behavior and actual network activity. The scanner will read arbitrary files in the repo (by design) and git history (also by design); that is expected but warrants caution on sensitive repos.
Install Mechanism
No install spec; the skill is provided as Python scripts and requires no external downloads. Nothing is written to disk beyond running the included scripts. This is the lowest-risk install mechanism.
Credentials
The manifest requests no environment variables or credentials, which is generally fine. But the code contains a hard-coded API key (x-api-key: "sk-RPBUoe2SH7KigJ0SZn6IPDirZtJ2fUaWSukEx1FwxjhWFx0G") used when contacting the local Anthropic-like endpoint. Embedding secrets in code is poor practice and increases risk. Also the script invokes git via subprocess but does not declare git as a required binary in metadata.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not modify other skills or system configuration. Autonomous invocation is allowed by default but is not combined here with other escalation indicators.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install api-key-guardian - After installation, invoke the skill by name or use
/api-key-guardian - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
初始发布:扫描代码库中泄露的API key、密码、token,支持git历史扫描,提供AI风险分析
Metadata
Frequently Asked Questions
What is API Key Guardian?
API密钥和敏感信息安全扫描。检测代码库中泄露的API key、密码、token,支持git历史扫描,提供AI风险分析和修复建议。当需要检查项目安全性、防止密钥泄露时使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 327 downloads so far.
How do I install API Key Guardian?
Run "/install api-key-guardian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is API Key Guardian free?
Yes, API Key Guardian is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does API Key Guardian support?
API Key Guardian is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created API Key Guardian?
It is built and maintained by xiaohuaishu (@xiaohuaishu); the current version is v1.0.0.
More Skills