Token Safety Checker

Scan openclaw.json for plaintext secrets (tokens, API keys, passwords) and migrate them to environment variables using SecretRef. Use when the user asks to "...

This tool appears to do what it says: it scans your local openclaw.json, shows you which fields look like secrets, and (after your confirmation) writes those secret values into your shell profile and replaces them with SecretRef entries in the config, creating a .bak first. Before running: 1) always run the --dry-run and review the exact export lines it will append to your profile, 2) verify the backup file (openclaw.json.bak) is created, 3) if you use systemd or Docker, follow the SKILL.md guidance instead of relying on profile sourcing, and 4) consider using SecretRef types 'file' or 'exec' (as suggested) for stricter setups. If you want extra assurance, review the included scripts/safeclaw.py source yourself to confirm no unexpected network calls are present (the code uses git subprocesses for optional history scanning but does not make network requests).

Type: OpenClaw Skill Name: token-safety-checker Version: 2.0.0 The skill is a defensive security utility designed to identify plaintext secrets in OpenClaw configurations and migrate them to environment variables. It demonstrates strong security hygiene by ensuring secret values are never exposed in CLI arguments, logs, or the AI agent's context (returning only metadata like paths and lengths to the agent). While it performs high-privilege actions such as modifying shell profiles (~/.zshrc, ~/.bashrc) and reading git history via scripts/safeclaw.py, these actions are strictly aligned with its documented purpose and include safety measures like robust shell-quoting to prevent injection. No evidence of data exfiltration or malicious intent was found.