← Back to Skills Marketplace
maoisdamao

Token Safety Checker

by xinyu · GitHub ↗ · v2.0.0 · MIT-0
cross-platform ✓ Security Clean
186
Downloads
0
Stars
0
Active Installs
11
Versions
Install in OpenClaw
/install token-safety-checker
Description
Scan openclaw.json for plaintext secrets (tokens, API keys, passwords) and migrate them to environment variables using SecretRef. Use when the user asks to "...
Usage Guidance
This tool appears to do what it says: it scans your local openclaw.json, shows you which fields look like secrets, and (after your confirmation) writes those secret values into your shell profile and replaces them with SecretRef entries in the config, creating a .bak first. Before running: 1) always run the --dry-run and review the exact export lines it will append to your profile, 2) verify the backup file (openclaw.json.bak) is created, 3) if you use systemd or Docker, follow the SKILL.md guidance instead of relying on profile sourcing, and 4) consider using SecretRef types 'file' or 'exec' (as suggested) for stricter setups. If you want extra assurance, review the included scripts/safeclaw.py source yourself to confirm no unexpected network calls are present (the code uses git subprocesses for optional history scanning but does not make network requests).
Capability Analysis
Type: OpenClaw Skill Name: token-safety-checker Version: 2.0.0 The skill is a defensive security utility designed to identify plaintext secrets in OpenClaw configurations and migrate them to environment variables. It demonstrates strong security hygiene by ensuring secret values are never exposed in CLI arguments, logs, or the AI agent's context (returning only metadata like paths and lengths to the agent). While it performs high-privilege actions such as modifying shell profiles (~/.zshrc, ~/.bashrc) and reading git history via scripts/safeclaw.py, these actions are strictly aligned with its documented purpose and include safety measures like robust shell-quoting to prevent injection. No evidence of data exfiltration or malicious intent was found.
Capability Assessment
Purpose & Capability
Name/description match the files and runtime behavior: the script scans openclaw.json, backs it up, replaces values with SecretRef, and writes env exports to shell profiles. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md and the script are consistent: the runtime instructions describe scan → confirm → dry-run → migrate → verify → rollback. The script acts on local files (openclaw.json, shell profile, .bak) and refrains from printing secret values in outputs. It reads secret values from disk for migration and writes them into the user's shell profile (as advertised).
Install Mechanism
No install spec (instruction-only) and included code runs locally. There are no network downloads or external install steps in the package itself.
Credentials
The skill requests no environment variables or credentials. It does check the current process environment during verification (to confirm SecretRef env vars are set), which is appropriate for its purpose and proportional to migrating secrets to env vars.
Persistence & Privilege
always is false; the skill does not request persistent/privileged platform presence. It modifies only the user's openclaw.json and the user's shell profile (as documented) and creates a local backup file — behavior that aligns with its stated purpose.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install token-safety-checker
  3. After installation, invoke the skill by name or use /token-safety-checker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
Release 2.0.0
v1.0.9
Release 1.0.9
v1.0.8
Release 1.0.8
v1.0.7
Release 1.0.7
v1.0.6
Release 1.0.6
v1.0.5
Release 1.0.5
v1.0.4
Release 1.0.4
v1.0.3
Release 1.0.3
v1.0.2
Release 1.0.2
v1.0.1
Release 1.0.1
v1.0.0
Release 1.0.0
Metadata
Slug token-safety-checker
Version 2.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 11
Frequently Asked Questions

What is Token Safety Checker?

Scan openclaw.json for plaintext secrets (tokens, API keys, passwords) and migrate them to environment variables using SecretRef. Use when the user asks to "... It is an AI Agent Skill for Claude Code / OpenClaw, with 186 downloads so far.

How do I install Token Safety Checker?

Run "/install token-safety-checker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Token Safety Checker free?

Yes, Token Safety Checker is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Token Safety Checker support?

Token Safety Checker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Token Safety Checker?

It is built and maintained by xinyu (@maoisdamao); the current version is v2.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments