← 返回 Skills 市场
api-key-auditor
作者
lemonGGGit
· GitHub ↗
· v1.0.0
· MIT-0
153
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install api-key-auditor
功能描述
扫描 ~/.openclaw/workspace/skills 目录下所有文件中的硬编码 API Key、Token、Secret,检查是否已集成到 openclaw.json env.vars,并可自动将未集成的凭证迁移进去。Use when user asks to audit/check/scan for...
使用说明 (SKILL.md)
API Key 审计器
扫描 skills 目录下的硬编码凭证,并输出集成情况报告。
运行方式
# 仅审计(只读,不修改任何文件)
python3 ~/.openclaw/workspace/skills/api-key-auditor/scripts/audit.py
# 自动迁移:将未集成的 key 写入 openclaw.json
python3 ~/.openclaw/workspace/skills/api-key-auditor/scripts/audit.py --fix
参数说明
| 参数 | 默认值 | 说明 |
|---|---|---|
--skills-dir |
~/.openclaw/workspace/skills |
扫描目录 |
--openclaw-json |
~/.openclaw/openclaw.json |
目标配置文件 |
--fix |
否 | 自动写入未集成的 key 到 env.vars |
报告输出含义
| 状态标记 | 含义 |
|---|---|
| ✅ 已集成到 openclaw.json | 凭证已注册为环境变量,安全 |
| 🔧 mcporter 管理(无需迁移) | 该 key 在 ~/.mcporter/mcporter.json 中,由 mcporter 统一管理 MCP server 连接,不需要抽取 |
| ⚠️ 未集成 | 凭证硬编码在文件中,建议迁移 |
迁移工作流
- 运行审计,查看 ⚠️ 未集成项
- 运行
--fix,脚本自动将 key 写入openclaw.jsonenv.vars,并给出需要手动替换的文件位置 - 在对应文件中将硬编码值替换为环境变量引用:
- Python:
os.environ.get('VAR_NAME') - Shell:
$VAR_NAME或${VAR_NAME}
- Python:
- 重启 OpenClaw 使环境变量生效(
openclaw gateway restart) - 再次运行审计确认 ✅
设计说明
- mcporter key 不抽取:
~/.mcporter/mcporter.json里的 MCP server URL 中的?key=参数,已由 mcporter 统一管理,不属于需要抽取的硬编码凭证 - 占位符自动过滤:
your-api-key-here、REPLACE_ME等示例值不会误报 - 只读模式安全:不加
--fix时,脚本不修改任何文件
安全使用建议
Inspect and run in read-only mode first: run the auditor without --fix to review findings. If you use --fix, be aware the script writes the raw secret values into ~/.openclaw/openclaw.json (plaintext); back up that file and ensure its filesystem permissions are restrictive. Review added env var names and manually replace hardcoded values in source files as instructed. Only run --fix if you trust this skill source and understand the tradeoff of centralizing secrets. If unsure, open scripts/audit.py yourself to verify behavior before running.
功能分析
Type: OpenClaw Skill
Name: api-key-auditor
Version: 1.0.0
The api-key-auditor skill is a security utility designed to identify hardcoded credentials within the OpenClaw workspace and facilitate their migration to environment variables in openclaw.json. The script (scripts/audit.py) performs local file scanning using regular expressions and provides a report or an automated fix mechanism; it does not exhibit any signs of data exfiltration, remote execution, or unauthorized access beyond its stated purpose.
能力评估
Purpose & Capability
The name/description match the included code and SKILL.md. The script scans ~/.openclaw/workspace/skills, checks ~/.openclaw/openclaw.json, optionally writes found values there, and skips mcporter-managed keys — all coherent with the stated purpose.
Instruction Scope
Instructions and the script operate only on local files (skills directory, ~/.openclaw/openclaw.json, ~/.mcporter/mcporter.json). They do not call external networks or hidden endpoints. Note: the --fix mode will write secrets into openclaw.json (the SKILL.md explains this), and SKILL.md suggests restarting the gateway; run read-only first.
Install Mechanism
Instruction-only skill with a bundled Python script and no install spec; nothing is downloaded or installed automatically.
Credentials
The skill requests no environment variables or external credentials. It legitimately reads local config files. Caution: migrating with --fix stores secret values in plaintext inside openclaw.json, which centralizes secrets and may increase exposure if that file is widely readable.
Persistence & Privilege
The skill is not forced-always, does not modify other skills, and only updates the openclaw.json file when explicitly run with --fix. Autonomous invocation is allowed by default but not combined with other concerning privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install api-key-auditor - 安装完成后,直接呼叫该 Skill 的名称或使用
/api-key-auditor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — scans and audits hardcoded API keys and credentials in the skills directory, with optional migration to central config.
- Scans all files in ~/.openclaw/workspace/skills for hardcoded API keys, tokens, and secrets.
- Reports integration status: integrated in openclaw.json, managed by mcporter, or not yet integrated.
- Supports read-only audit and --fix mode for automatic migration of unregistered credentials to openclaw.json env.vars.
- Skips sample values and mcporter-managed keys to avoid false positives.
- Clear instructions provided for manual replacement and integration workflow.
元数据
常见问题
api-key-auditor 是什么?
扫描 ~/.openclaw/workspace/skills 目录下所有文件中的硬编码 API Key、Token、Secret,检查是否已集成到 openclaw.json env.vars,并可自动将未集成的凭证迁移进去。Use when user asks to audit/check/scan for... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 153 次。
如何安装 api-key-auditor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install api-key-auditor」即可一键安装,无需额外配置。
api-key-auditor 是免费的吗?
是的,api-key-auditor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
api-key-auditor 支持哪些平台?
api-key-auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 api-key-auditor?
由 lemonGGGit(@lemongggit)开发并维护,当前版本 v1.0.0。
推荐 Skills