Credential Manager
STATUS: MANDATORY SECURITY FOUNDATION
Consolidate scattered API keys and credentials into a secure, centralized .env file.
⚠️ This Is Not Optional
Centralized .env credential management is a core requirement for OpenClaw security. If your credentials are scattered across multiple files, stop and consolidate them now.
THE RULE: All credentials MUST be in ~/.openclaw/.env ONLY. No workspace, no skills, no scripts directories.
See:
The Foundation
Every OpenClaw deployment MUST have:
�CODEBLOCK0
This is your single source of truth for all credentials. No exceptions.
Why?
- - Single location = easier to secure
- File mode 600 = only you can read
- Git-ignored = won't accidentally commit
- Validated format = catches errors
- Audit trail = know what changed
Scattered credentials = scattered attack surface. This skill fixes that.
What This Skill Does
- 1. Scans for credentials in common locations
- Backs up existing credential files (timestamped)
- Consolidates into �INLINECODE3
- Secures with proper permissions (600)
- Validates security and format
- Enforces best practices
- Cleans up old files after migration
Detection Parameters
The skill automatically detects credentials by scanning for:
File Patterns:
- -
credentials.json files in config directories - INLINECODE5� files
- Memory files with
-creds or credentials in the name
Sensitive Key Patterns:
- - API keys, access tokens, bearer tokens
- Secrets, passwords, passphrases
- OAuth consumer keys
- Private keys, signing keys, wallet keys
- Mnemonics and seed phrases
Security Checks:
- - File permissions (must be
600) - Git-ignore protection
- Format validation
Quick Start
Full Migration (Recommended)
CODEBLOCK1
Individual Operations
CODEBLOCK2
Common Credential Locations
The skill scans these locations:
CODEBLOCK3
Security Features
✅ File permissions: Sets .env to mode 600 (owner only)
✅ Git protection: Creates/updates .gitignore
✅ Backups: Timestamped backups before changes
✅ Validation: Checks format, permissions, and duplicates
✅ Template: Creates .env.example (safe to share)
Output Structure
After migration:
CODEBLOCK4
Supported Services
Common services auto-detected:
- - X (Twitter): OAuth 1.0a credentials
- Molten: Agent intent matching
- Moltbook: Agent social network
- Botchan/4claw: Net Protocol
- OpenAI, Anthropic, Google: AI providers
- GitHub, GitLab: Code hosting
- Generic:
API_KEY, *_TOKEN, *_SECRET patterns
See references/supported-services.md for full list.
Security Best Practices
See references/security.md for detailed security guidelines.
Quick checklist:
- - ✅
.env has 600 permissions - ✅
.env is git-ignored - ✅ No credentials in code or logs
- ✅ Rotate keys periodically
- ✅ Use separate keys per environment
Scripts
All scripts support --help for detailed usage.
scan.py
�CODEBLOCK5
consolidate.py
�CODEBLOCK6
validate.py
�CODEBLOCK7
cleanup.py
�CODEBLOCK8
Migration Workflow
Step 1: Discovery
./scripts/scan.py
Review output to see what will be migrated.
Step 2: Backup & Consolidate
./scripts/consolidate.py
Creates backups, builds
.env, sets permissions.
Step 3: Validation
./scripts/validate.py
Ensures everything is secure and correct.
Step 4: Test
Test your applications/skills with the new .env file.
Step 5: Cleanup
./scripts/cleanup.py --confirm
Removes old credential files (backups remain).
For Skill Developers: Enforce This Standard
Other OpenClaw skills MUST validate credentials are secure before using them:
Python Skills
�CODEBLOCK13
Bash Skills
�CODEBLOCK14
This creates a fail-fast system: If credentials aren't properly secured, skills refuse to run. Users are forced to fix it.
Loading Credentials
After migration, load from .env:
Python
�CODEBLOCK15
Bash
�CODEBLOCK16
Using Existing Loaders
If you migrated using OpenClaw scripts:
�CODEBLOCK17
Adding New Credentials
Edit ~/.openclaw/.env:
�CODEBLOCK18
Update template too:
�CODEBLOCK19
Rollback
If something goes wrong:
CODEBLOCK20
Notes
- - Non-destructive by default: Original files backed up before removal
- Idempotent: Safe to run multiple times
- Extensible: Add custom credential patterns in scripts
- Secure: Never logs full credentials, only metadata
凭据管理器
状态:强制性安全基础
将分散的API密钥和凭据整合到安全、集中的.env文件中。
⚠️ 此步骤不可省略
集中式.env凭据管理是OpenClaw安全的核心要求。如果你的凭据分散在多个文件中,请立即停止并整合它们。
规则: 所有凭据必须仅存放在~/.openclaw/.env中。不得存放在工作区、技能或脚本目录中。
参见:
基础
每个OpenClaw部署必须包含:
~/.openclaw/.env (权限模式 600)
这是你所有凭据的唯一真实来源。没有例外。
为什么?
- - 单一位置 = 更易于保护
- 文件权限600 = 只有你能读取
- 被Git忽略 = 不会意外提交
- 格式经过验证 = 可捕获错误
- 审计追踪 = 知道哪些内容发生了变化
分散的凭据 = 分散的攻击面。本技能解决这一问题。
本技能的功能
- 1. 扫描常见位置的凭据
- 备份现有凭据文件(带时间戳)
- 整合到~/.openclaw/.env
- 保护设置正确的权限(600)
- 验证安全性和格式
- 强制执行最佳实践
- 清理迁移后的旧文件
检测参数
本技能通过扫描以下内容自动检测凭据:
文件模式:
- - 配置目录中的credentials.json文件
- .env文件
- 文件名包含-creds或credentials的内存文件
敏感键模式:
- - API密钥、访问令牌、Bearer令牌
- 密钥、密码、口令短语
- OAuth消费者密钥
- 私钥、签名密钥、钱包密钥
- 助记词和种子短语
安全检查:
- - 文件权限(必须为600)
- Git忽略保护
- 格式验证
快速开始
完整迁移(推荐)
bash
扫描凭据
./scripts/scan.py
审查并整合
./scripts/consolidate.py
验证安全性
./scripts/validate.py
单独操作
bash
仅扫描
./scripts/scan.py
整合特定服务
./scripts/consolidate.py --service x
仅备份,不删除
./scripts/consolidate.py --backup-only
清理旧文件
./scripts/cleanup.py --confirm
常见凭据位置
本技能扫描以下位置:
~/.config/*/credentials.json
~/.openclaw/workspace/memory/*-creds.json
~/.openclaw/workspace/memory/credentials.json
~/.env (如果存在,则合并)
安全特性
✅ 文件权限: 将.env设置为权限模式600(仅所有者可读写)
✅ Git保护: 创建/更新.gitignore
✅ 备份: 更改前创建带时间戳的备份
✅ 验证: 检查格式、权限和重复项
✅ 模板: 创建.env.example(可安全共享)
输出结构
迁移后:
~/.openclaw/
├── .env # 所有凭据(安全)
├── .env.example # 模板(安全)
├── .gitignore # 保护.env
├── CREDENTIALS.md # 文档
└── backups/
└── credentials-old-YYYYMMDD/ # 旧文件备份
支持的服务
自动检测的常见服务:
- - X(Twitter): OAuth 1.0a凭据
- Molten: 代理意图匹配
- Moltbook: 代理社交网络
- Botchan/4claw: 网络协议
- OpenAI、Anthropic、Google: AI提供商
- GitHub、GitLab: 代码托管
- 通用: APIKEY、TOKEN、_SECRET模式
完整列表请参见references/supported-services.md。
安全最佳实践
详细安全指南请参见references/security.md。
快速检查清单:
- - ✅ .env权限为600
- ✅ .env已被Git忽略
- ✅ 代码或日志中不包含凭据
- ✅ 定期轮换密钥
- ✅ 每个环境使用不同的密钥
脚本
所有脚本均支持--help查看详细用法。
scan.py
bash
扫描并报告
./scripts/scan.py
包含自定义路径
./scripts/scan.py --paths ~/.myapp/config ~/.local/share/creds
JSON输出
./scripts/scan.py --format json
consolidate.py
bash
交互模式(更改前提示)
./scripts/consolidate.py
自动确认(无提示)
./scripts/consolidate.py --yes
仅备份
./scripts/consolidate.py --backup-only
特定服务
./scripts/consolidate.py --service molten
validate.py
bash
完整验证
./scripts/validate.py
仅检查权限
./scripts/validate.py --check permissions
自动修复问题
./scripts/validate.py --fix
cleanup.py
bash
预演(显示将要删除的内容)
./scripts/cleanup.py
实际删除旧文件
./scripts/cleanup.py --confirm
保留备份
./scripts/cleanup.py --confirm --keep-backups
迁移工作流
步骤1:发现
bash
./scripts/scan.py
审查输出,了解将要迁移的内容。
步骤2:备份与整合
bash
./scripts/consolidate.py
创建备份,构建.env,设置权限。
步骤3:验证
bash
./scripts/validate.py
确保一切安全且正确。
步骤4:测试
使用新的.env文件测试你的应用程序/技能。
步骤5:清理
bash
./scripts/cleanup.py --confirm
删除旧的凭据文件(备份保留)。
对于技能开发者:强制执行此标准
其他OpenClaw技能在使用凭据前必须验证其安全性:
Python技能
python
#!/usr/bin/env python3
import sys
from pathlib import Path
将凭据管理器脚本添加到路径
sys.path.insert(0, str(Path.home() / .openclaw/skills/credential-manager/scripts))
强制执行安全的.env(不符合则退出)
from enforce import require
secureenv, get_credential
requiresecureenv()
现在可以安全加载凭据
api
key = getcredential(SERVICE
APIKEY)
Bash技能
bash
#!/usr/bin/env bash
set -euo pipefail
验证.env存在且安全
if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then
exit 1
fi
现在可以安全加载
source ~/.openclaw/.env
这创建了一个快速失败系统: 如果凭据未正确保护,技能将拒绝运行。用户被迫修复问题。
加载凭据
迁移后,从.env加载:
Python
python
import os
from pathlib import Path
加载.env
env_file = Path.home() / .openclaw / .env
with open(env_file) as f:
for line in f:
if = in line and not line.strip().startswith(#):
key, val = line.strip().split(=, 1)
os.environ[key] = val
使用凭据
api
key = os.getenv(SERVICEAPI_KEY)
Bash
bash
加载.env
set -a
source ~/.openclaw/.env
set +a
使用凭据
echo $SERVICE
APIKEY
使用现有加载器
如果你使用OpenClaw脚本进行了迁移:
python
from load
credentials import getcredentials
creds = get_credentials(x)
添加新凭据
编辑~/.openclaw/.env:
bash
添加新服务
NEW
SERVICEAPI
KEY=yourkey_here
NEW
SERVICESECRET=your
secrethere
同时更新模板:
bash
编辑.env.example
NEW
SERVICEAPI
KEY=yourkey_here
NEW
SERVICESECRET=your
secrethere
回滚
如果出现问题:
bash
查找你的备份
ls -la ~/.
