← Back to Skills Marketplace
258
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install env-secrets-rotator
Description
Rotate and update secrets in environment files, generate Vault commands, and manage secret rotation workflows.
README (SKILL.md)
Environment Secrets Rotator
What This Does
A CLI tool to help rotate secrets in environment files and generate commands for secret managers like HashiCorp Vault. Securely generates new random values for secrets, updates .env files, and provides rotation workflows for development and production environments.
Key features:
- Rotate secrets in .env files - Generate new random values for specified keys
- Multiple generation algorithms - Hex, base64, UUID, custom length
- Backup original files - Create backups before modification
- Dry-run mode - Preview changes without modifying files
- Generate Vault commands - Output HashiCorp Vault CLI commands for secret rotation
- Batch processing - Rotate multiple keys across multiple files
- Validation - Check .env file format and key existence
- Rotation history - Track previous values (optional)
How To Use
Basic rotation:
./scripts/main.py rotate --file .env --keys API_KEY,DB_PASSWORD
With custom generation:
./scripts/main.py rotate --file .env --keys API_KEY --algorithm base64 --length 32
Dry run (preview):
./scripts/main.py rotate --file .env --keys "*" --dry-run
Generate Vault commands:
./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/myapp
Full command reference:
./scripts/main.py help
Commands
-
rotate: Rotate secrets in environment files--file: Path to .env file (required)--keys: Comma-separated keys to rotate, or "" for all (default: "")--algorithm: Random generation algorithm: hex, base64, uuid, alphanumeric (default: hex)--length: Length of generated secret (default: 32)--backup: Create backup before modifying (default: true)--dry-run: Preview changes without modifying files--output: Write to new file instead of modifying original
-
vault: Generate HashiCorp Vault commands--keys: Comma-separated keys to generate commands for--path: Vault secret path (e.g., "secret/data/myapp")--engine: Vault secrets engine (default: "kv")--method: Vault method: patch, put (default: "patch")
-
validate: Validate .env file--file: Path to .env file--strict: Require all values to be non-empty
-
history: Show rotation history (if enabled)--file: Path to .env file--key: Specific key to show history for
Output
Rotation output:
{
"file": ".env",
"rotated": ["API_KEY", "DB_PASSWORD"],
"new_values": {
"API_KEY": "a1b2c3d4e5f6...",
"DB_PASSWORD": "x9y8z7w6v5u4..."
},
"backup": ".env.backup.20260311",
"vault_commands": [
"vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...",
"vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4..."
]
}
Vault commands output:
# Generated Vault commands for secret rotation:
vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...
vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4...
Limitations
- No actual Vault integration - Only generates commands; you must run them manually
- Local files only - Cannot rotate secrets in remote secret managers
- No key distribution - Does not distribute new secrets to services
- Basic .env format - Supports simple KEY=VALUE format; no multiline or complex parsing
- No encryption - Generated secrets are shown in plaintext in output
- History tracking optional - Requires enabling and may store sensitive data
Security Considerations
- Always review generated values before use
- Use
--dry-runto preview changes - Backups are created by default
- Generated secrets are cryptographically random (using Python's secrets module)
- Consider using a real secret manager for production secrets
Examples
Rotate all secrets in .env file:
./scripts/main.py rotate --file .env --keys "*" --backup true
Generate Vault commands for specific keys:
./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/production
Validate .env file before rotation:
./scripts/main.py validate --file .env --strict
Rotate with custom base64 secrets:
./scripts/main.py rotate --file .env --keys JWT_SECRET --algorithm base64 --length 64
Installation Notes
Uses Python's built-in secrets module for cryptographically secure random generation. No external dependencies required.
Usage Guidance
This skill appears to perform local .env secret rotation as advertised, but it will create backups and — importantly — record rotation history in a file under your home directory (~/.env-rotation-history.json). That history may contain plaintext secret values and appears to be recorded on every non-dry-run rotation. Before installing or running on production secrets: (1) review the script's _record_history implementation and confirm whether and how secrets are stored; (2) run with --dry-run and test files first; (3) if you must use it, restrict the history file and backups to tight permissions (e.g., chmod 600) or disable history if possible; (4) prefer using a real secrets manager for production rotations; (5) if you need assurance the history is not stored, search the code for any calls that write to ~/.env-rotation-history.json or similar and remove or modify them. I have medium confidence because part of the source was truncated (so I could not fully inspect the history-writing routine), but the visible code calls _record_history unguarded, which is why this is suspicious.
Capability Analysis
Type: OpenClaw Skill
Name: env-secrets-rotator
Version: 1.0.0
The skill functions as a secret rotator but includes a security vulnerability in `scripts/main.py` where it automatically records all generated secrets in plaintext to a hidden history file (`~/.env-rotation-history.json`). This behavior is active by default despite the `SKILL.md` documentation claiming that history tracking is optional and requires explicit enabling. The storage of sensitive credentials in an unencrypted local file constitutes a significant security flaw that could lead to local credential exposure.
Capability Assessment
Purpose & Capability
Name/description align with code and instructions: the script rotates keys in .env files, generates Vault CLI commands, supports algorithms, backups, dry-run, validation and batch operations. No unrelated network or cloud credentials are requested.
Instruction Scope
SKILL.md instructs only local .env manipulation and Vault command generation, which matches most of the code; however the runtime instructions do not clearly call out that rotations will be recorded persistently to a history file in the user's home directory. The code calls self._record_history(...) on every non-dry-run rotation, which could store sensitive values unless explicitly disabled — this is broader persistence than the SKILL.md emphasizes.
Install Mechanism
No install script or network downloads are used; the skill is instruction-only with an included Python script that requires only python3 and standard library modules. Nothing in the install surface is surprising.
Credentials
The skill requests no environment variables or external credentials (proportional), but it writes a history file to the user's home (~/.env-rotation-history.json) and creates backups next to edited files. Persisting plaintext rotated secrets in the home directory/backups is a sensitive capability not adequately highlighted in the description; this raises privacy risk if left enabled by default.
Persistence & Privilege
The skill creates backups in the target directory and a history file in the user's home directory. Although it does not modify other skills or system-wide settings, the persistent storage of secret values (and the location in the home directory) is an elevated persistence footprint that should be disclosed and controllable.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install env-secrets-rotator - After installation, invoke the skill by name or use
/env-secrets-rotator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of env-secrets-rotator.
- Rotate secrets in .env files with random value generation (hex, base64, uuid, alphanumeric)
- Backup original files before modification
- Preview changes using dry-run mode
- Generate HashiCorp Vault CLI commands for rotated secrets
- Batch process multiple keys/files and validate .env files
- Optional rotation history tracking
Metadata
Frequently Asked Questions
What is Environment Secrets Rotator?
Rotate and update secrets in environment files, generate Vault commands, and manage secret rotation workflows. It is an AI Agent Skill for Claude Code / OpenClaw, with 258 downloads so far.
How do I install Environment Secrets Rotator?
Run "/install env-secrets-rotator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Environment Secrets Rotator free?
Yes, Environment Secrets Rotator is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Environment Secrets Rotator support?
Environment Secrets Rotator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Environment Secrets Rotator?
It is built and maintained by Derick (@derick001); the current version is v1.0.0.
More Skills