OpenSkillIndex← back to search
claude-codeopenclawopenclaw-native

Openclaw-superpowers config-encryption-auditor

Scans OpenClaw config directories for plaintext API keys, tokens, and secrets in unencrypted files — flags exposure risks and suggests encryption or environment variable migration.

install
source · Clone the upstream repo
git clone https://github.com/ArchieIndian/openclaw-superpowers
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ArchieIndian/openclaw-superpowers "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/openclaw-native/config-encryption-auditor" ~/.claude/skills/archieindian-openclaw-superpowers-config-encryption-auditor && rm -rf "$T"
OpenClaw · Install into ~/.openclaw/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ArchieIndian/openclaw-superpowers "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/openclaw-native/config-encryption-auditor" ~/.openclaw/skills/archieindian-openclaw-superpowers-config-encryption-auditor && rm -rf "$T"
manifest: skills/openclaw-native/config-encryption-auditor/SKILL.md
source content

Config Encryption Auditor

What it does

OpenClaw stores configuration in 

~/.openclaw/
— API keys, channel tokens, provider credentials. By default, these are plaintext YAML or JSON files readable by any process on your machine.

OpenLobster solved this with AES-GCM encrypted config files. We can't change OpenClaw's config format, but we can audit it — scanning for exposed secrets, flagging unencrypted credential files, and suggesting migrations to environment variables or encrypted vaults.

When to invoke

  • Automatically, every Sunday at 9am (cron)
  • After initial OpenClaw setup
  • Before deploying to shared infrastructure
  • After any config change that adds new API keys

Checks performed

CheckSeverityWhat it detects
PLAINTEXT_API_KEYCRITICALAPI key patterns in config files (sk-, AKIA, ghp_, etc.)
PLAINTEXT_TOKENHIGHOAuth tokens, bearer tokens, passwords in config
WORLD_READABLEHIGHConfig files with 644/755 permissions (readable by all users)
NO_GITIGNOREMEDIUMConfig directory not gitignored (risk of committing secrets)
ENV_AVAILABLEINFOSecret could be migrated to environment variable

How to use

python3 audit.py --scan                    # Full audit
python3 audit.py --scan --critical-only    # CRITICAL findings only
python3 audit.py --fix-permissions         # chmod 600 on config files
python3 audit.py --suggest-env             # Print env var migration guide
python3 audit.py --status                  # Last audit summary
python3 audit.py --format json

Procedure

Step 1 — Run the audit

python3 audit.py --scan

Step 2 — Fix CRITICAL issues first

For each PLAINTEXT_API_KEY finding, migrate the key to an environment variable:

# Instead of storing in config.yaml:
#   api_key: sk-abc123...
# Use:
export OPENCLAW_API_KEY="sk-abc123..."

Step 3 — Fix file permissions

python3 audit.py --fix-permissions

This sets 

chmod 600
on all config files (owner read/write only).

Step 4 — Verify gitignore coverage

Ensure 

~/.openclaw/
or at minimum the config files are in your global 
.gitignore
.

State

Audit results and history stored in 

~/.openclaw/skill-state/config-encryption-auditor/state.yaml
.

Fields: 

last_audit_at
, 
findings
, 
files_scanned
, 
audit_history
.