← 返回 Skills 市场

API Key Guardian

Name: API Key Guardian
Author: xiaohuaishu

作者 xiaohuaishu · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

327

总下载

当前安装

版本数

在 OpenClaw 中安装

/install api-key-guardian

功能描述

API密钥和敏感信息安全扫描。检测代码库中泄露的API key、密码、token，支持git历史扫描，提供AI风险分析和修复建议。当需要检查项目安全性、防止密钥泄露时使用。

使用说明 (SKILL.md)

API Key Guardian 🔐

扫描代码库中的敏感信息，防止 API key、密码、token 泄露。

使用方法

# 扫描当前目录
python3 guardian.py

# 扫描指定目录
python3 guardian.py --path /your/project

# 扫描单个文件
python3 guardian.py --file .env

# 扫描 git 历史
python3 guardian.py --git-history

# 启用 AI 风险分析（需要 OpenClaw 代理运行）
python3 guardian.py --ai

检测类型

OpenAI / Anthropic / Google / AWS / GitHub / Stripe API Keys
ClawHub Token
RSA 私钥
数据库连接字符串
通用密码/Secret 硬编码

安全使用建议

This skill implements a secret scanner and a built-in AI analysis step. Before running it on real repositories: 1) Inspect guardian.py and remove or rotate the hard-coded API key; do not deploy code containing embedded secrets. 2) If you plan to use the --ai option, verify what local service should be listening on 127.0.0.1:18790 and why a fixed x-api-key is present; prefer configuring an API key via environment variables or the OpenClaw agent rather than an in-file secret. 3) Ensure git is available (the script calls git) and consider running the scanner in an isolated environment (container/machine) when scanning sensitive repos. 4) If you cannot validate the embedded key or the local proxy, avoid using --ai and run the scanner only after manual review. 5) Prefer installing/using a well-audited scanner from a known source; lack of homepage/source and the embedded credential increase risk.

功能分析

Type: OpenClaw Skill Name: api-key-guardian Version: 1.0.0 The skill is a security utility designed to scan local directories and git history for leaked API keys and sensitive information (OpenAI, AWS, GitHub, etc.). It uses regex patterns defined in `patterns.py` and provides a masked report to the user. While `guardian.py` contains a hardcoded API key and sends data to a local endpoint (127.0.0.1:18790) for AI-based risk analysis, it only transmits metadata (file names and line numbers) rather than the actual secrets, and the local address suggests integration with a local AI proxy rather than remote exfiltration.

能力评估

ℹ Purpose & Capability

Name/description match the code: the Python scripts implement repo and git-history scanning and an optional AI analysis step. Requested runtime binary (python3) is appropriate. However, the code calls git via subprocess (git must exist) but the SKILL metadata only declared python3 — that's an omission. Also the script embeds a hard-coded API key and a local AI endpoint for the analysis step, which is unexpected for a scanner and not declared in requirements.

⚠ Instruction Scope

SKILL.md instructs running guardian.py and optionally enabling AI analysis. The code does exactly that, scanning files and git history. But the AI analysis function performs an HTTP POST to http://127.0.0.1:18790/anthropic/v1/messages using a hard-coded x-api-key value. The instructions do not mention this embedded key, the local proxy requirement, or what that key is for — creating a gap between documented behavior and actual network activity. The scanner will read arbitrary files in the repo (by design) and git history (also by design); that is expected but warrants caution on sensitive repos.

✓ Install Mechanism

No install spec; the skill is provided as Python scripts and requires no external downloads. Nothing is written to disk beyond running the included scripts. This is the lowest-risk install mechanism.

⚠ Credentials

The manifest requests no environment variables or credentials, which is generally fine. But the code contains a hard-coded API key (x-api-key: "sk-RPBUoe2SH7KigJ0SZn6IPDirZtJ2fUaWSukEx1FwxjhWFx0G") used when contacting the local Anthropic-like endpoint. Embedding secrets in code is poor practice and increases risk. Also the script invokes git via subprocess but does not declare git as a required binary in metadata.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable. It does not modify other skills or system configuration. Autonomous invocation is allowed by default but is not combined here with other escalation indicators.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install api-key-guardian
安装完成后，直接呼叫该 Skill 的名称或使用 /api-key-guardian 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

初始发布：扫描代码库中泄露的API key、密码、token，支持git历史扫描，提供AI风险分析

元数据

Slug api-key-guardian

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

API Key Guardian 是什么？

API密钥和敏感信息安全扫描。检测代码库中泄露的API key、密码、token，支持git历史扫描，提供AI风险分析和修复建议。当需要检查项目安全性、防止密钥泄露时使用。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 327 次。

如何安装 API Key Guardian？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install api-key-guardian」即可一键安装，无需额外配置。

API Key Guardian 是免费的吗？

是的，API Key Guardian 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

API Key Guardian 支持哪些平台？

API Key Guardian 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 API Key Guardian？

由 xiaohuaishu（@xiaohuaishu）开发并维护，当前版本 v1.0.0。