← 返回 Skills 市场
258
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install env-secrets-rotator
功能描述
Rotate and update secrets in environment files, generate Vault commands, and manage secret rotation workflows.
使用说明 (SKILL.md)
Environment Secrets Rotator
What This Does
A CLI tool to help rotate secrets in environment files and generate commands for secret managers like HashiCorp Vault. Securely generates new random values for secrets, updates .env files, and provides rotation workflows for development and production environments.
Key features:
- Rotate secrets in .env files - Generate new random values for specified keys
- Multiple generation algorithms - Hex, base64, UUID, custom length
- Backup original files - Create backups before modification
- Dry-run mode - Preview changes without modifying files
- Generate Vault commands - Output HashiCorp Vault CLI commands for secret rotation
- Batch processing - Rotate multiple keys across multiple files
- Validation - Check .env file format and key existence
- Rotation history - Track previous values (optional)
How To Use
Basic rotation:
./scripts/main.py rotate --file .env --keys API_KEY,DB_PASSWORD
With custom generation:
./scripts/main.py rotate --file .env --keys API_KEY --algorithm base64 --length 32
Dry run (preview):
./scripts/main.py rotate --file .env --keys "*" --dry-run
Generate Vault commands:
./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/myapp
Full command reference:
./scripts/main.py help
Commands
-
rotate: Rotate secrets in environment files--file: Path to .env file (required)--keys: Comma-separated keys to rotate, or "" for all (default: "")--algorithm: Random generation algorithm: hex, base64, uuid, alphanumeric (default: hex)--length: Length of generated secret (default: 32)--backup: Create backup before modifying (default: true)--dry-run: Preview changes without modifying files--output: Write to new file instead of modifying original
-
vault: Generate HashiCorp Vault commands--keys: Comma-separated keys to generate commands for--path: Vault secret path (e.g., "secret/data/myapp")--engine: Vault secrets engine (default: "kv")--method: Vault method: patch, put (default: "patch")
-
validate: Validate .env file--file: Path to .env file--strict: Require all values to be non-empty
-
history: Show rotation history (if enabled)--file: Path to .env file--key: Specific key to show history for
Output
Rotation output:
{
"file": ".env",
"rotated": ["API_KEY", "DB_PASSWORD"],
"new_values": {
"API_KEY": "a1b2c3d4e5f6...",
"DB_PASSWORD": "x9y8z7w6v5u4..."
},
"backup": ".env.backup.20260311",
"vault_commands": [
"vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...",
"vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4..."
]
}
Vault commands output:
# Generated Vault commands for secret rotation:
vault kv patch secret/data/myapp API_KEY=a1b2c3d4e5f6...
vault kv patch secret/data/myapp DB_PASSWORD=x9y8z7w6v5u4...
Limitations
- No actual Vault integration - Only generates commands; you must run them manually
- Local files only - Cannot rotate secrets in remote secret managers
- No key distribution - Does not distribute new secrets to services
- Basic .env format - Supports simple KEY=VALUE format; no multiline or complex parsing
- No encryption - Generated secrets are shown in plaintext in output
- History tracking optional - Requires enabling and may store sensitive data
Security Considerations
- Always review generated values before use
- Use
--dry-runto preview changes - Backups are created by default
- Generated secrets are cryptographically random (using Python's secrets module)
- Consider using a real secret manager for production secrets
Examples
Rotate all secrets in .env file:
./scripts/main.py rotate --file .env --keys "*" --backup true
Generate Vault commands for specific keys:
./scripts/main.py vault --keys API_KEY,DB_PASSWORD --path secret/data/production
Validate .env file before rotation:
./scripts/main.py validate --file .env --strict
Rotate with custom base64 secrets:
./scripts/main.py rotate --file .env --keys JWT_SECRET --algorithm base64 --length 64
Installation Notes
Uses Python's built-in secrets module for cryptographically secure random generation. No external dependencies required.
安全使用建议
This skill appears to perform local .env secret rotation as advertised, but it will create backups and — importantly — record rotation history in a file under your home directory (~/.env-rotation-history.json). That history may contain plaintext secret values and appears to be recorded on every non-dry-run rotation. Before installing or running on production secrets: (1) review the script's _record_history implementation and confirm whether and how secrets are stored; (2) run with --dry-run and test files first; (3) if you must use it, restrict the history file and backups to tight permissions (e.g., chmod 600) or disable history if possible; (4) prefer using a real secrets manager for production rotations; (5) if you need assurance the history is not stored, search the code for any calls that write to ~/.env-rotation-history.json or similar and remove or modify them. I have medium confidence because part of the source was truncated (so I could not fully inspect the history-writing routine), but the visible code calls _record_history unguarded, which is why this is suspicious.
功能分析
Type: OpenClaw Skill
Name: env-secrets-rotator
Version: 1.0.0
The skill functions as a secret rotator but includes a security vulnerability in `scripts/main.py` where it automatically records all generated secrets in plaintext to a hidden history file (`~/.env-rotation-history.json`). This behavior is active by default despite the `SKILL.md` documentation claiming that history tracking is optional and requires explicit enabling. The storage of sensitive credentials in an unencrypted local file constitutes a significant security flaw that could lead to local credential exposure.
能力评估
Purpose & Capability
Name/description align with code and instructions: the script rotates keys in .env files, generates Vault CLI commands, supports algorithms, backups, dry-run, validation and batch operations. No unrelated network or cloud credentials are requested.
Instruction Scope
SKILL.md instructs only local .env manipulation and Vault command generation, which matches most of the code; however the runtime instructions do not clearly call out that rotations will be recorded persistently to a history file in the user's home directory. The code calls self._record_history(...) on every non-dry-run rotation, which could store sensitive values unless explicitly disabled — this is broader persistence than the SKILL.md emphasizes.
Install Mechanism
No install script or network downloads are used; the skill is instruction-only with an included Python script that requires only python3 and standard library modules. Nothing in the install surface is surprising.
Credentials
The skill requests no environment variables or external credentials (proportional), but it writes a history file to the user's home (~/.env-rotation-history.json) and creates backups next to edited files. Persisting plaintext rotated secrets in the home directory/backups is a sensitive capability not adequately highlighted in the description; this raises privacy risk if left enabled by default.
Persistence & Privilege
The skill creates backups in the target directory and a history file in the user's home directory. Although it does not modify other skills or system-wide settings, the persistent storage of secret values (and the location in the home directory) is an elevated persistence footprint that should be disclosed and controllable.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install env-secrets-rotator - 安装完成后,直接呼叫该 Skill 的名称或使用
/env-secrets-rotator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of env-secrets-rotator.
- Rotate secrets in .env files with random value generation (hex, base64, uuid, alphanumeric)
- Backup original files before modification
- Preview changes using dry-run mode
- Generate HashiCorp Vault CLI commands for rotated secrets
- Batch process multiple keys/files and validate .env files
- Optional rotation history tracking
元数据
常见问题
Environment Secrets Rotator 是什么?
Rotate and update secrets in environment files, generate Vault commands, and manage secret rotation workflows. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 258 次。
如何安装 Environment Secrets Rotator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install env-secrets-rotator」即可一键安装,无需额外配置。
Environment Secrets Rotator 是免费的吗?
是的,Environment Secrets Rotator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Environment Secrets Rotator 支持哪些平台?
Environment Secrets Rotator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Environment Secrets Rotator?
由 Derick(@derick001)开发并维护,当前版本 v1.0.0。
推荐 Skills