OpenSkillIndex← back to search
claude-codeopenclaw

Openclaw-superpowers secrets-hygiene

Audits which skills have access to secrets, flags stale or unrotated credentials, and prompts rotation. Use weekly to keep credentials clean.

install
source · Clone the upstream repo
git clone https://github.com/ArchieIndian/openclaw-superpowers
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ArchieIndian/openclaw-superpowers "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/openclaw-native/secrets-hygiene" ~/.claude/skills/archieindian-openclaw-superpowers-secrets-hygiene && rm -rf "$T"
OpenClaw · Install into ~/.openclaw/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ArchieIndian/openclaw-superpowers "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/openclaw-native/secrets-hygiene" ~/.openclaw/skills/archieindian-openclaw-superpowers-secrets-hygiene && rm -rf "$T"
manifest: skills/openclaw-native/secrets-hygiene/SKILL.md
source content

Secrets Hygiene

State file: 

~/.openclaw/skill-state/secrets-hygiene/state.yaml

Credentials you forgot about are credentials that will leak.

When to Use

  • On Monday 9am cron wakeup
  • When adding or removing a skill that uses credentials
  • After any suspected security incident

The Audit Process

Step 1: Inventory

List all secrets currently configured in OpenClaw (env vars, config files, keychain entries referenced by installed skills). For each, record: name, which skills access it, when it was last rotated (if known).

Step 2: Flag Stale Secrets

A secret is stale if:

  • Last rotated more than 90 days ago (or unknown rotation date)
  • The skill that uses it is no longer installed
  • It grants broader access than the skill needs

Step 3: Report

Send a summary:

Secrets Audit — [date]
[N] secrets tracked
[N] flagged for rotation: [names]
[N] orphaned (skill removed): [names]
Action needed: [yes/no]

Step 4: Update State

Write 

last_audit_at
, updated 
tracked_secrets
list, 
flagged_count
, 
orphaned_count
to state file.

Cron Wakeup Behavior

On Monday 9am wakeup:

  • Read state; if 
    last_audit_at
    is within the last 6 days, skip
  • Otherwise run the audit and update state