Credential Manager
by @callmedas69
MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional β centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enfor
clawhub install credential-managerπ About This Skill
name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional β centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices.
Credential Manager
STATUS: MANDATORY SECURITY FOUNDATION
Consolidate scattered API keys and credentials into a secure, centralized .env file.
β οΈ This Is Not Optional
Centralized .env credential management is a core requirement for OpenClaw security. If your credentials are scattered across multiple files, stop and consolidate them now.
THE RULE: All credentials MUST be in ~/.openclaw/.env ONLY. No workspace, no skills, no scripts directories.
See:
The Foundation
Every OpenClaw deployment MUST have:
~/.openclaw/.env (mode 600)
This is your single source of truth for all credentials. No exceptions.
Why?
Scattered credentials = scattered attack surface. This skill fixes that.
What This Skill Does
1. Scans for credentials in common locations
2. Backs up existing credential files (timestamped)
3. Consolidates into ~/.openclaw/.env
4. Secures with proper permissions (600)
5. Validates security and format
6. Enforces best practices
7. Cleans up old files after migration
Detection Parameters
The skill automatically detects credentials by scanning for:
File Patterns:
credentials.json files in config directories.env files-creds or credentials in the nameSensitive Key Patterns:
Security Checks:
600)Quick Start
Full Migration (Recommended)
# Scan for credentials
./scripts/scan.pyReview and consolidate
./scripts/consolidate.pyValidate security
./scripts/validate.py
Individual Operations
# Scan only
./scripts/scan.pyConsolidate specific service
./scripts/consolidate.py --service xBackup without removing
./scripts/consolidate.py --backup-onlyClean up old files
./scripts/cleanup.py --confirm
Common Credential Locations
The skill scans these locations:
~/.config/*/credentials.json
~/.openclaw/workspace/memory/*-creds.json
~/.openclaw/workspace/memory/*credentials*.json
~/.env (if exists, merges)
Security Features
β
File permissions: Sets .env to mode 600 (owner only)
β
Git protection: Creates/updates .gitignore
β
Backups: Timestamped backups before changes
β
Validation: Checks format, permissions, and duplicates
β
Template: Creates .env.example (safe to share)
Output Structure
After migration:
~/.openclaw/
βββ .env # All credentials (secure)
βββ .env.example # Template (safe)
βββ .gitignore # Protects .env
βββ CREDENTIALS.md # Documentation
βββ backups/
βββ credentials-old-YYYYMMDD/ # Backup of old files
Supported Services
Common services auto-detected:
API_KEY, *_TOKEN, *_SECRET patternsSee references/supported-services.md for full list.
Security Best Practices
See references/security.md for detailed security guidelines.
Quick checklist:
.env has 600 permissions.env is git-ignoredScripts
All scripts support --help for detailed usage.
scan.py
# Scan and report
./scripts/scan.pyInclude custom paths
./scripts/scan.py --paths ~/.myapp/config ~/.local/share/credsJSON output
./scripts/scan.py --format json
consolidate.py
# Interactive mode (prompts before changes)
./scripts/consolidate.pyAuto-confirm (no prompts)
./scripts/consolidate.py --yesBackup only
./scripts/consolidate.py --backup-onlySpecific service
./scripts/consolidate.py --service molten
validate.py
# Full validation
./scripts/validate.pyCheck permissions only
./scripts/validate.py --check permissionsFix issues automatically
./scripts/validate.py --fix
cleanup.py
# Dry run (shows what would be deleted)
./scripts/cleanup.pyActually delete old files
./scripts/cleanup.py --confirmKeep backups
./scripts/cleanup.py --confirm --keep-backups
Migration Workflow
Step 1: Discovery
./scripts/scan.py
Review output to see what will be migrated.Step 2: Backup & Consolidate
./scripts/consolidate.py
Creates backups, builds .env, sets permissions.Step 3: Validation
./scripts/validate.py
Ensures everything is secure and correct.Step 4: Test
Test your applications/skills with the new .env file.
Step 5: Cleanup
./scripts/cleanup.py --confirm
Removes old credential files (backups remain).For Skill Developers: Enforce This Standard
Other OpenClaw skills MUST validate credentials are secure before using them:
Python Skills
#!/usr/bin/env python3
import sys
from pathlib import PathAdd credential-manager scripts to path
sys.path.insert(0, str(Path.home() / '.openclaw/skills/credential-manager/scripts'))Enforce secure .env (exits if not compliant)
from enforce import require_secure_env, get_credentialrequire_secure_env()
Now safe to load credentials
api_key = get_credential('SERVICE_API_KEY')
Bash Skills
#!/usr/bin/env bash
set -euo pipefailValidate .env exists and is secure
if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then
exit 1
fiNow safe to load
source ~/.openclaw/.env
This creates a fail-fast system: If credentials aren't properly secured, skills refuse to run. Users are forced to fix it.
Loading Credentials
After migration, load from .env:
Python
import os
from pathlib import PathLoad .env
env_file = Path.home() / '.openclaw' / '.env'
with open(env_file) as f:
for line in f:
if '=' in line and not line.strip().startswith('#'):
key, val = line.strip().split('=', 1)
os.environ[key] = valUse credentials
api_key = os.getenv('SERVICE_API_KEY')
Bash
# Load .env
set -a
source ~/.openclaw/.env
set +aUse credentials
echo "$SERVICE_API_KEY"
Using Existing Loaders
If you migrated using OpenClaw scripts:from load_credentials import get_credentials
creds = get_credentials('x')
Adding New Credentials
Edit ~/.openclaw/.env:
# Add new service
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_here
Update template too:
# Edit .env.example
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_here
Rollback
If something goes wrong:
# Find your backup
ls -la ~/.openclaw/backups/Restore specific file
cp ~/.openclaw/backups/credentials-old-YYYYMMDD/x-credentials.json.bak \
~/.config/x/credentials.json
Notes
π‘ Examples
Full Migration (Recommended)
# Scan for credentials
./scripts/scan.pyReview and consolidate
./scripts/consolidate.pyValidate security
./scripts/validate.py
Individual Operations
# Scan only
./scripts/scan.pyConsolidate specific service
./scripts/consolidate.py --service xBackup without removing
./scripts/consolidate.py --backup-onlyClean up old files
./scripts/cleanup.py --confirm