← Back to Skills Marketplace
Credential Hygiene Validator
by
Onyedika Christopher Agada
· GitHub ↗
· v1.0.0
331
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install credential-hygiene-validator
Description
Checks whether credentials and tokens are stored safely. Validates file permissions, plaintext exposure, git repo contamination, log redaction coverage, and...
README (SKILL.md)
Credential Hygiene Validator
Checks whether credentials and tokens in config files are stored with reasonable hygiene. Catches common mistakes before they become incidents.
What it checks
- File permissions -- config files should be 600 or 700, not world-readable
- Plaintext tokens -- scans for hex tokens, JWTs (base64url with dots), Bearer strings, and API keys
- Git repo contamination -- whether the config directory sits inside a git working tree
- Gitignore coverage -- whether .gitignore excludes credential paths
- Log file leaks -- tokens appearing in log output (checks all formats: hex, JWT, Bearer per RFC 6750)
- Token age -- warns if tokens have not been rotated recently
- Atomic write safety -- checks if config backup exists (indicator of safe write patterns)
When to use it
- After setting up a new tool or service
- Before pushing dotfiles to a public repo
- As part of a regular security hygiene review
- When onboarding a new machine
- After rotating credentials, to confirm the old token is gone
Example prompts
- "Check if my OpenClaw tokens are stored safely"
- "Audit my dotfiles for leaked credentials"
- "Is my config directory in a git repo?"
- "Check file permissions on my credentials"
- "Are my tokens showing up in any log files?"
Checks run
# 1. File permissions
stat -c '%a %n' ~/.openclaw/openclaw.json
# Expected: 600
# 2. Plaintext tokens (full token68 charset per RFC 7235)
grep -rnP '("token"\s*:\s*")[^"]{8,}"|[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
~/.openclaw/ --include="*.json" 2>/dev/null
# 3. Git repo check
git -C ~/.openclaw rev-parse --is-inside-work-tree 2>/dev/null
# Expected: error (not in a repo)
# 4. Gitignore coverage
grep -q '.openclaw' ~/.gitignore 2>/dev/null && echo "covered" || echo "not covered"
# 5. Log file leaks (full token68 charset)
grep -rnP '[Bb]earer\s+[\w\-\.+/=~]{16,}|[a-f0-9]{32,}' \
~/.openclaw/logs/ --include="*.log" 2>/dev/null
# 6. Token age (check config file modification time)
find ~/.openclaw/openclaw.json -mtime +90 -print 2>/dev/null
# If output: token has not been rotated in 90+ days
# 7. Backup file exists (atomic write indicator)
ls ~/.openclaw/openclaw.json.bak 2>/dev/null && echo "backup present" || echo "no backup"
Notes
- Read-only checks, does not modify any files
- Token patterns match hex, JWT (header.payload.signature), base64url, and Bearer headers case-insensitively per RFC 6750
- Works with any tool that stores credentials in dotfiles
- Aligns with T-ACCESS-003 in the OpenClaw threat model
References
Usage Guidance
This skill appears to do exactly what it claims: read-only local checks for credential hygiene. Before installing or invoking it, review the SKILL.md to confirm the hard-coded paths (~/.openclaw, ~/.gitignore, logs) match what you want inspected. Be aware the grep patterns are broad and can yield false positives; test the commands manually in a safe environment first. Ensure your agent runs with the least privilege necessary (not as root) so it only examines your user files. If you want it to scan different directories, either edit the prompts or run the commands locally yourself rather than granting an agent broad access.
Capability Analysis
Type: OpenClaw Skill
Name: credential-hygiene-validator
Version: 1.0.0
The skill bundle is designed to perform read-only security checks on credential storage hygiene within the `~/.openclaw/` directory and related dotfiles. All commands in `SKILL.md` (`stat`, `grep`, `git`, `find`, `ls`) are non-modifying and focused on auditing file permissions, plaintext token exposure, git repository contamination, and log file leaks. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's intended function.
Capability Assessment
Purpose & Capability
Name/description match the actions: scanning files, checking git status, and inspecting permissions. Minor inconsistency: registry metadata declares no required config paths, but the SKILL.md hard-codes ~/.openclaw and ~/.gitignore as targets — this is coherent with the described OpenClaw focus but should be declared explicitly in metadata.
Instruction Scope
SKILL.md only runs local, read-only commands (stat, grep, git, find, ls) against the user's home dotfiles and logs. These actions are within the declared purpose (permission checks, token pattern scanning, git/gitignore checks). It does not transmit data externally. Note: the grep patterns are broad and may produce false positives and the use of grep -P (PCRE) may not be available on all platforms.
Install Mechanism
Instruction-only skill with no install spec or code to download — lowest install risk.
Credentials
The skill requests no environment variables or credentials. The binaries it requires (grep, stat, git) are appropriate for the described checks.
Persistence & Privilege
always:false and normal model invocation settings. The skill does not request permanent presence or modify other skills/configuration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install credential-hygiene-validator - After installation, invoke the skill by name or use
/credential-hygiene-validator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Credential Hygiene Validator initial release:
- Validates credential and token storage hygiene in configuration files.
- Checks file permissions, plaintext token exposure, git repo contamination, .gitignore coverage, and log file leaks.
- Warns about tokens not rotated recently and detects presence of backup files for atomic write safety.
- Supports both OpenClaw and general dotfile directories.
- Provides example CLI commands for all checks.
- Read-only: performs audits without modifying files.
Metadata
Frequently Asked Questions
What is Credential Hygiene Validator?
Checks whether credentials and tokens are stored safely. Validates file permissions, plaintext exposure, git repo contamination, log redaction coverage, and... It is an AI Agent Skill for Claude Code / OpenClaw, with 331 downloads so far.
How do I install Credential Hygiene Validator?
Run "/install credential-hygiene-validator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Credential Hygiene Validator free?
Yes, Credential Hygiene Validator is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Credential Hygiene Validator support?
Credential Hygiene Validator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Credential Hygiene Validator?
It is built and maintained by Onyedika Christopher Agada (@techris93); the current version is v1.0.0.
More Skills