🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Credential Manager

by @callmedas69

MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional β€” centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enfor

Versionv1.3.0
Downloads5,462
Installs49
Stars⭐ 2
TERMINAL
clawhub install credential-manager

πŸ“– About This Skill


name: credential-manager description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional β€” centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices.

Credential Manager

STATUS: MANDATORY SECURITY FOUNDATION

Consolidate scattered API keys and credentials into a secure, centralized .env file.

⚠️ This Is Not Optional

Centralized .env credential management is a core requirement for OpenClaw security. If your credentials are scattered across multiple files, stop and consolidate them now.

THE RULE: All credentials MUST be in ~/.openclaw/.env ONLY. No workspace, no skills, no scripts directories.

See:

  • CORE-PRINCIPLE.md - Why this is non-negotiable
  • CONSOLIDATION-RULE.md - The single source principle
  • The Foundation

    Every OpenClaw deployment MUST have:

    ~/.openclaw/.env (mode 600)
    

    This is your single source of truth for all credentials. No exceptions.

    Why?

  • Single location = easier to secure
  • File mode 600 = only you can read
  • Git-ignored = won't accidentally commit
  • Validated format = catches errors
  • Audit trail = know what changed
  • Scattered credentials = scattered attack surface. This skill fixes that.

    What This Skill Does

    1. Scans for credentials in common locations 2. Backs up existing credential files (timestamped) 3. Consolidates into ~/.openclaw/.env 4. Secures with proper permissions (600) 5. Validates security and format 6. Enforces best practices 7. Cleans up old files after migration

    Detection Parameters

    The skill automatically detects credentials by scanning for:

    File Patterns:

  • credentials.json files in config directories
  • .env files
  • Memory files with -creds or credentials in the name
  • Sensitive Key Patterns:

  • API keys, access tokens, bearer tokens
  • Secrets, passwords, passphrases
  • OAuth consumer keys
  • Private keys, signing keys, wallet keys
  • Mnemonics and seed phrases
  • Security Checks:

  • File permissions (must be 600)
  • Git-ignore protection
  • Format validation
  • Quick Start

    Full Migration (Recommended)

    # Scan for credentials
    ./scripts/scan.py

    Review and consolidate

    ./scripts/consolidate.py

    Validate security

    ./scripts/validate.py

    Individual Operations

    # Scan only
    ./scripts/scan.py

    Consolidate specific service

    ./scripts/consolidate.py --service x

    Backup without removing

    ./scripts/consolidate.py --backup-only

    Clean up old files

    ./scripts/cleanup.py --confirm

    Common Credential Locations

    The skill scans these locations:

    ~/.config/*/credentials.json
    ~/.openclaw/workspace/memory/*-creds.json
    ~/.openclaw/workspace/memory/*credentials*.json
    ~/.env (if exists, merges)
    

    Security Features

    βœ… File permissions: Sets .env to mode 600 (owner only) βœ… Git protection: Creates/updates .gitignore βœ… Backups: Timestamped backups before changes βœ… Validation: Checks format, permissions, and duplicates βœ… Template: Creates .env.example (safe to share)

    Output Structure

    After migration:

    ~/.openclaw/
    β”œβ”€β”€ .env                     # All credentials (secure)
    β”œβ”€β”€ .env.example             # Template (safe)
    β”œβ”€β”€ .gitignore               # Protects .env
    β”œβ”€β”€ CREDENTIALS.md           # Documentation
    └── backups/
        └── credentials-old-YYYYMMDD/  # Backup of old files
    

    Supported Services

    Common services auto-detected:

  • X (Twitter): OAuth 1.0a credentials
  • Molten: Agent intent matching
  • Moltbook: Agent social network
  • Botchan/4claw: Net Protocol
  • OpenAI, Anthropic, Google: AI providers
  • GitHub, GitLab: Code hosting
  • Generic: API_KEY, *_TOKEN, *_SECRET patterns
  • See references/supported-services.md for full list.

    Security Best Practices

    See references/security.md for detailed security guidelines.

    Quick checklist:

  • βœ… .env has 600 permissions
  • βœ… .env is git-ignored
  • βœ… No credentials in code or logs
  • βœ… Rotate keys periodically
  • βœ… Use separate keys per environment
  • Scripts

    All scripts support --help for detailed usage.

    scan.py

    # Scan and report
    ./scripts/scan.py

    Include custom paths

    ./scripts/scan.py --paths ~/.myapp/config ~/.local/share/creds

    JSON output

    ./scripts/scan.py --format json

    consolidate.py

    # Interactive mode (prompts before changes)
    ./scripts/consolidate.py

    Auto-confirm (no prompts)

    ./scripts/consolidate.py --yes

    Backup only

    ./scripts/consolidate.py --backup-only

    Specific service

    ./scripts/consolidate.py --service molten

    validate.py

    # Full validation
    ./scripts/validate.py

    Check permissions only

    ./scripts/validate.py --check permissions

    Fix issues automatically

    ./scripts/validate.py --fix

    cleanup.py

    # Dry run (shows what would be deleted)
    ./scripts/cleanup.py

    Actually delete old files

    ./scripts/cleanup.py --confirm

    Keep backups

    ./scripts/cleanup.py --confirm --keep-backups

    Migration Workflow

    Step 1: Discovery

    ./scripts/scan.py
    
    Review output to see what will be migrated.

    Step 2: Backup & Consolidate

    ./scripts/consolidate.py
    
    Creates backups, builds .env, sets permissions.

    Step 3: Validation

    ./scripts/validate.py
    
    Ensures everything is secure and correct.

    Step 4: Test Test your applications/skills with the new .env file.

    Step 5: Cleanup

    ./scripts/cleanup.py --confirm
    
    Removes old credential files (backups remain).

    For Skill Developers: Enforce This Standard

    Other OpenClaw skills MUST validate credentials are secure before using them:

    Python Skills

    #!/usr/bin/env python3
    import sys
    from pathlib import Path

    Add credential-manager scripts to path

    sys.path.insert(0, str(Path.home() / '.openclaw/skills/credential-manager/scripts'))

    Enforce secure .env (exits if not compliant)

    from enforce import require_secure_env, get_credential

    require_secure_env()

    Now safe to load credentials

    api_key = get_credential('SERVICE_API_KEY')

    Bash Skills

    #!/usr/bin/env bash
    set -euo pipefail

    Validate .env exists and is secure

    if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then exit 1 fi

    Now safe to load

    source ~/.openclaw/.env

    This creates a fail-fast system: If credentials aren't properly secured, skills refuse to run. Users are forced to fix it.

    Loading Credentials

    After migration, load from .env:

    Python

    import os
    from pathlib import Path

    Load .env

    env_file = Path.home() / '.openclaw' / '.env' with open(env_file) as f: for line in f: if '=' in line and not line.strip().startswith('#'): key, val = line.strip().split('=', 1) os.environ[key] = val

    Use credentials

    api_key = os.getenv('SERVICE_API_KEY')

    Bash

    # Load .env
    set -a
    source ~/.openclaw/.env
    set +a

    Use credentials

    echo "$SERVICE_API_KEY"

    Using Existing Loaders

    If you migrated using OpenClaw scripts:
    from load_credentials import get_credentials
    creds = get_credentials('x')
    

    Adding New Credentials

    Edit ~/.openclaw/.env:

    # Add new service
    NEW_SERVICE_API_KEY=your_key_here
    NEW_SERVICE_SECRET=your_secret_here
    

    Update template too:

    # Edit .env.example
    NEW_SERVICE_API_KEY=your_key_here
    NEW_SERVICE_SECRET=your_secret_here
    

    Rollback

    If something goes wrong:

    # Find your backup
    ls -la ~/.openclaw/backups/

    Restore specific file

    cp ~/.openclaw/backups/credentials-old-YYYYMMDD/x-credentials.json.bak \ ~/.config/x/credentials.json

    Notes

  • Non-destructive by default: Original files backed up before removal
  • Idempotent: Safe to run multiple times
  • Extensible: Add custom credential patterns in scripts
  • Secure: Never logs full credentials, only metadata
  • πŸ’‘ Examples

    Full Migration (Recommended)

    # Scan for credentials
    ./scripts/scan.py

    Review and consolidate

    ./scripts/consolidate.py

    Validate security

    ./scripts/validate.py

    Individual Operations

    # Scan only
    ./scripts/scan.py

    Consolidate specific service

    ./scripts/consolidate.py --service x

    Backup without removing

    ./scripts/consolidate.py --backup-only

    Clean up old files

    ./scripts/cleanup.py --confirm

    πŸ“‹ Tips & Best Practices

  • Non-destructive by default: Original files backed up before removal
  • Idempotent: Safe to run multiple times
  • Extensible: Add custom credential patterns in scripts
  • Secure: Never logs full credentials, only metadata