← 返回 Skills 市场

Credential Hygiene Validator

Name: Credential Hygiene Validator
Author: techris93

作者 Onyedika Christopher Agada · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

331

总下载

当前安装

版本数

在 OpenClaw 中安装

/install credential-hygiene-validator

功能描述

Checks whether credentials and tokens are stored safely. Validates file permissions, plaintext exposure, git repo contamination, log redaction coverage, and...

使用说明 (SKILL.md)

Credential Hygiene Validator

Checks whether credentials and tokens in config files are stored with reasonable hygiene. Catches common mistakes before they become incidents.

What it checks

File permissions -- config files should be 600 or 700, not world-readable
Plaintext tokens -- scans for hex tokens, JWTs (base64url with dots), Bearer strings, and API keys
Git repo contamination -- whether the config directory sits inside a git working tree
Gitignore coverage -- whether .gitignore excludes credential paths
Log file leaks -- tokens appearing in log output (checks all formats: hex, JWT, Bearer per RFC 6750)
Token age -- warns if tokens have not been rotated recently
Atomic write safety -- checks if config backup exists (indicator of safe write patterns)

When to use it

After setting up a new tool or service
Before pushing dotfiles to a public repo
As part of a regular security hygiene review
When onboarding a new machine
After rotating credentials, to confirm the old token is gone

Example prompts

"Check if my OpenClaw tokens are stored safely"
"Audit my dotfiles for leaked credentials"
"Is my config directory in a git repo?"
"Check file permissions on my credentials"
"Are my tokens showing up in any log files?"

Checks run

# 1. File permissions
stat -c '%a %n' ~/.openclaw/openclaw.json
# Expected: 600

# 2. Plaintext tokens (full token68 charset per RFC 7235)
grep -rnP '("token"\s*:\s*")[^"]{8,}"|[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/ --include="*.json" 2>/dev/null

# 3. Git repo check
git -C ~/.openclaw rev-parse --is-inside-work-tree 2>/dev/null
# Expected: error (not in a repo)

# 4. Gitignore coverage
grep -q '.openclaw' ~/.gitignore 2>/dev/null && echo "covered" || echo "not covered"

# 5. Log file leaks (full token68 charset)
grep -rnP '[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
  ~/.openclaw/logs/ --include="*.log" 2>/dev/null

# 6. Token age (check config file modification time)
find ~/.openclaw/openclaw.json -mtime +90 -print 2>/dev/null
# If output: token has not been rotated in 90+ days

# 7. Backup file exists (atomic write indicator)
ls ~/.openclaw/openclaw.json.bak 2>/dev/null && echo "backup present" || echo "no backup"

Notes

Read-only checks, does not modify any files
Token patterns match hex, JWT (header.payload.signature), base64url, and Bearer headers case-insensitively per RFC 6750
Works with any tool that stores credentials in dotfiles
Aligns with T-ACCESS-003 in the OpenClaw threat model

References

安全使用建议

This skill appears to do exactly what it claims: read-only local checks for credential hygiene. Before installing or invoking it, review the SKILL.md to confirm the hard-coded paths (~/.openclaw, ~/.gitignore, logs) match what you want inspected. Be aware the grep patterns are broad and can yield false positives; test the commands manually in a safe environment first. Ensure your agent runs with the least privilege necessary (not as root) so it only examines your user files. If you want it to scan different directories, either edit the prompts or run the commands locally yourself rather than granting an agent broad access.

功能分析

Type: OpenClaw Skill Name: credential-hygiene-validator Version: 1.0.0 The skill bundle is designed to perform read-only security checks on credential storage hygiene within the `~/.openclaw/` directory and related dotfiles. All commands in `SKILL.md` (`stat`, `grep`, `git`, `find`, `ls`) are non-modifying and focused on auditing file permissions, plaintext token exposure, git repository contamination, and log file leaks. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's intended function.

能力评估

ℹ Purpose & Capability

Name/description match the actions: scanning files, checking git status, and inspecting permissions. Minor inconsistency: registry metadata declares no required config paths, but the SKILL.md hard-codes ~/.openclaw and ~/.gitignore as targets — this is coherent with the described OpenClaw focus but should be declared explicitly in metadata.

✓ Instruction Scope

SKILL.md only runs local, read-only commands (stat, grep, git, find, ls) against the user's home dotfiles and logs. These actions are within the declared purpose (permission checks, token pattern scanning, git/gitignore checks). It does not transmit data externally. Note: the grep patterns are broad and may produce false positives and the use of grep -P (PCRE) may not be available on all platforms.

✓ Install Mechanism

Instruction-only skill with no install spec or code to download — lowest install risk.

✓ Credentials

The skill requests no environment variables or credentials. The binaries it requires (grep, stat, git) are appropriate for the described checks.

✓ Persistence & Privilege

always:false and normal model invocation settings. The skill does not request permanent presence or modify other skills/configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install credential-hygiene-validator
安装完成后，直接呼叫该 Skill 的名称或使用 /credential-hygiene-validator 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Credential Hygiene Validator initial release: - Validates credential and token storage hygiene in configuration files. - Checks file permissions, plaintext token exposure, git repo contamination, .gitignore coverage, and log file leaks. - Warns about tokens not rotated recently and detects presence of backup files for atomic write safety. - Supports both OpenClaw and general dotfile directories. - Provides example CLI commands for all checks. - Read-only: performs audits without modifying files.

元数据

Slug credential-hygiene-validator

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题