← Back to Skills Marketplace
api-key-auditor
by
lemonGGGit
· GitHub ↗
· v1.0.0
· MIT-0
153
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install api-key-auditor
Description
扫描 ~/.openclaw/workspace/skills 目录下所有文件中的硬编码 API Key、Token、Secret,检查是否已集成到 openclaw.json env.vars,并可自动将未集成的凭证迁移进去。Use when user asks to audit/check/scan for...
README (SKILL.md)
API Key 审计器
扫描 skills 目录下的硬编码凭证,并输出集成情况报告。
运行方式
# 仅审计(只读,不修改任何文件)
python3 ~/.openclaw/workspace/skills/api-key-auditor/scripts/audit.py
# 自动迁移:将未集成的 key 写入 openclaw.json
python3 ~/.openclaw/workspace/skills/api-key-auditor/scripts/audit.py --fix
参数说明
| 参数 | 默认值 | 说明 |
|---|---|---|
--skills-dir |
~/.openclaw/workspace/skills |
扫描目录 |
--openclaw-json |
~/.openclaw/openclaw.json |
目标配置文件 |
--fix |
否 | 自动写入未集成的 key 到 env.vars |
报告输出含义
| 状态标记 | 含义 |
|---|---|
| ✅ 已集成到 openclaw.json | 凭证已注册为环境变量,安全 |
| 🔧 mcporter 管理(无需迁移) | 该 key 在 ~/.mcporter/mcporter.json 中,由 mcporter 统一管理 MCP server 连接,不需要抽取 |
| ⚠️ 未集成 | 凭证硬编码在文件中,建议迁移 |
迁移工作流
- 运行审计,查看 ⚠️ 未集成项
- 运行
--fix,脚本自动将 key 写入openclaw.jsonenv.vars,并给出需要手动替换的文件位置 - 在对应文件中将硬编码值替换为环境变量引用:
- Python:
os.environ.get('VAR_NAME') - Shell:
$VAR_NAME或${VAR_NAME}
- Python:
- 重启 OpenClaw 使环境变量生效(
openclaw gateway restart) - 再次运行审计确认 ✅
设计说明
- mcporter key 不抽取:
~/.mcporter/mcporter.json里的 MCP server URL 中的?key=参数,已由 mcporter 统一管理,不属于需要抽取的硬编码凭证 - 占位符自动过滤:
your-api-key-here、REPLACE_ME等示例值不会误报 - 只读模式安全:不加
--fix时,脚本不修改任何文件
Usage Guidance
Inspect and run in read-only mode first: run the auditor without --fix to review findings. If you use --fix, be aware the script writes the raw secret values into ~/.openclaw/openclaw.json (plaintext); back up that file and ensure its filesystem permissions are restrictive. Review added env var names and manually replace hardcoded values in source files as instructed. Only run --fix if you trust this skill source and understand the tradeoff of centralizing secrets. If unsure, open scripts/audit.py yourself to verify behavior before running.
Capability Analysis
Type: OpenClaw Skill
Name: api-key-auditor
Version: 1.0.0
The api-key-auditor skill is a security utility designed to identify hardcoded credentials within the OpenClaw workspace and facilitate their migration to environment variables in openclaw.json. The script (scripts/audit.py) performs local file scanning using regular expressions and provides a report or an automated fix mechanism; it does not exhibit any signs of data exfiltration, remote execution, or unauthorized access beyond its stated purpose.
Capability Assessment
Purpose & Capability
The name/description match the included code and SKILL.md. The script scans ~/.openclaw/workspace/skills, checks ~/.openclaw/openclaw.json, optionally writes found values there, and skips mcporter-managed keys — all coherent with the stated purpose.
Instruction Scope
Instructions and the script operate only on local files (skills directory, ~/.openclaw/openclaw.json, ~/.mcporter/mcporter.json). They do not call external networks or hidden endpoints. Note: the --fix mode will write secrets into openclaw.json (the SKILL.md explains this), and SKILL.md suggests restarting the gateway; run read-only first.
Install Mechanism
Instruction-only skill with a bundled Python script and no install spec; nothing is downloaded or installed automatically.
Credentials
The skill requests no environment variables or external credentials. It legitimately reads local config files. Caution: migrating with --fix stores secret values in plaintext inside openclaw.json, which centralizes secrets and may increase exposure if that file is widely readable.
Persistence & Privilege
The skill is not forced-always, does not modify other skills, and only updates the openclaw.json file when explicitly run with --fix. Autonomous invocation is allowed by default but not combined with other concerning privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install api-key-auditor - After installation, invoke the skill by name or use
/api-key-auditor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — scans and audits hardcoded API keys and credentials in the skills directory, with optional migration to central config.
- Scans all files in ~/.openclaw/workspace/skills for hardcoded API keys, tokens, and secrets.
- Reports integration status: integrated in openclaw.json, managed by mcporter, or not yet integrated.
- Supports read-only audit and --fix mode for automatic migration of unregistered credentials to openclaw.json env.vars.
- Skips sample values and mcporter-managed keys to avoid false positives.
- Clear instructions provided for manual replacement and integration workflow.
Metadata
Frequently Asked Questions
What is api-key-auditor?
扫描 ~/.openclaw/workspace/skills 目录下所有文件中的硬编码 API Key、Token、Secret,检查是否已集成到 openclaw.json env.vars,并可自动将未集成的凭证迁移进去。Use when user asks to audit/check/scan for... It is an AI Agent Skill for Claude Code / OpenClaw, with 153 downloads so far.
How do I install api-key-auditor?
Run "/install api-key-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is api-key-auditor free?
Yes, api-key-auditor is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does api-key-auditor support?
api-key-auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created api-key-auditor?
It is built and maintained by lemonGGGit (@lemongggit); the current version is v1.0.0.
More Skills