OpenClaw Sentry
Scans your agent workspace for leaked secrets — API keys, tokens, passwords, private keys, and credentials that should never be in plain text.
The Problem
Agent workspaces accumulate secrets: API keys in config files, tokens in memory logs, passwords in environment files. A single leaked credential can compromise your entire infrastructure. Existing secret scanners work on git repos — nothing watches the agent workspace itself.
Commands
Full Scan
Scan all workspace files for secrets and high-risk files.
CODEBLOCK0
Check Single File
Check a specific file for secrets.
CODEBLOCK1
Quick Status
One-line summary of secret exposure risk.
CODEBLOCK2
What It Detects
| Provider | Patterns |
|---|
| AWS | Access keys (AKIA...), secret keys |
| GitHub |
PATs (ghp
, gho, ghs
, ghr, github
pat) |
|
Slack | Bot/user tokens (xox...), webhooks |
|
Stripe | Secret keys (sk
live), publishable keys |
|
OpenAI | API keys (sk-...) |
|
Anthropic | API keys (sk-ant-...) |
|
Google | API keys (AIza...), OAuth secrets |
|
Azure | Storage account keys |
|
Generic | API keys, secrets, passwords, bearer tokens, connection strings |
|
Crypto | PEM private keys, .key/.pem/.p12 files |
|
Database | PostgreSQL/MySQL/MongoDB/Redis URLs with credentials |
|
JWT | JSON Web Tokens |
|
Environment | .env files with variables |
Exit Codes
- -
0 — Clean, no secrets found - INLINECODE1� — Warnings (high-risk files detected)
- INLINECODE2� — Critical secrets found
No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
OpenClaw Sentry
扫描你的智能体工作区,查找泄露的机密信息——API密钥、令牌、密码、私钥以及任何不应以明文形式存在的凭证。
问题
智能体工作区会积累大量机密信息:配置文件中的API密钥、内存日志中的令牌、环境文件中的密码。单个泄露的凭证就可能危及整个基础设施。现有的机密扫描工具仅适用于Git仓库——没有任何工具能监控智能体工作区本身。
命令
全量扫描
扫描工作区所有文件中的机密信息和高风险文件。
bash
python3 {baseDir}/scripts/sentry.py scan --workspace /path/to/workspace
检查单个文件
检查特定文件中是否存在机密信息。
bash
python3 {baseDir}/scripts/sentry.py check MEMORY.md --workspace /path/to/workspace
快速状态
一行摘要显示机密暴露风险。
bash
python3 {baseDir}/scripts/sentry.py status --workspace /path/to/workspace
检测内容
| 提供商 | 模式 |
|---|
| AWS | 访问密钥(AKIA...)、密钥 |
| GitHub |
个人访问令牌(ghp
, gho, ghs
, ghr, github
pat) |
|
Slack | 机器人/用户令牌(xox...)、Webhooks |
|
Stripe | 密钥(sk
live)、可发布密钥 |
|
OpenAI | API密钥(sk-...) |
|
Anthropic | API密钥(sk-ant-...) |
|
Google | API密钥(AIza...)、OAuth密钥 |
|
Azure | 存储账户密钥 |
|
通用 | API密钥、机密、密码、Bearer令牌、连接字符串 |
|
加密 | PEM私钥、.key/.pem/.p12文件 |
|
数据库 | 含凭证的PostgreSQL/MySQL/MongoDB/Redis URL |
|
JWT | JSON Web令牌 |
|
环境 | 含变量的.env文件 |
退出码
- - 0 — 干净,未发现机密信息
- 1 — 警告(检测到高风险文件)
- 2 — 发现关键机密信息
无外部依赖
仅使用Python标准库。无需pip安装。无需网络调用。一切在本地运行。
跨平台
兼容OpenClaw、Claude Code、Cursor以及任何使用智能体技能规范的工具。
