HomeBrowseUpload
← Back to registry
// Skill profile

Credential Manager

name: credential-manager

by callmedas69 · published 2026-03-22

开发工具社交媒体加密货币
Total installs
0
Stars
★ 0
Last updated
2026-03
// Install command
$ claw add gh:callmedas69/callmedas69-credential-manager
View on GitHub
// Full documentation

---

name: credential-manager

description: MANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional — centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices.

---

# Credential Manager

**STATUS: MANDATORY SECURITY FOUNDATION**

Consolidate scattered API keys and credentials into a secure, centralized `.env` file.

⚠️ This Is Not Optional

Centralized `.env` credential management is a **core requirement** for OpenClaw security. If your credentials are scattered across multiple files, **stop and consolidate them now**.

**THE RULE:** All credentials MUST be in `~/.openclaw/.env` ONLY. No workspace, no skills, no scripts directories.

See:

  • [CORE-PRINCIPLE.md](CORE-PRINCIPLE.md) - Why this is non-negotiable
  • [CONSOLIDATION-RULE.md](CONSOLIDATION-RULE.md) - The single source principle

    • The Foundation

    **Every OpenClaw deployment MUST have:**

    ~/.openclaw/.env (mode 600)

    This is your single source of truth for all credentials. No exceptions.

    **Why?**

  • Single location = easier to secure
  • File mode 600 = only you can read
  • Git-ignored = won't accidentally commit
  • Validated format = catches errors
  • Audit trail = know what changed

    • Scattered credentials = scattered attack surface. This skill fixes that.

    What This Skill Does

    1. **Scans** for credentials in common locations

    2. **Backs up** existing credential files (timestamped)

    3. **Consolidates** into `~/.openclaw/.env`

    4. **Secures** with proper permissions (600)

    5. **Validates** security and format

    6. **Enforces** best practices

    7. **Cleans up** old files after migration

    Detection Parameters

    The skill automatically detects credentials by scanning for:

    **File Patterns:**

  • `credentials.json` files in config directories
  • `.env` files
  • Memory files with `-creds` or `credentials` in the name

    • **Sensitive Key Patterns:**

  • API keys, access tokens, bearer tokens
  • Secrets, passwords, passphrases
  • OAuth consumer keys
  • Private keys, signing keys, wallet keys
  • Mnemonics and seed phrases

    • **Security Checks:**

  • File permissions (must be `600`)
  • Git-ignore protection
  • Format validation

    • Quick Start

    Full Migration (Recommended)

    # Scan for credentials
./scripts/scan.py

# Review and consolidate
./scripts/consolidate.py

# Validate security
./scripts/validate.py

    Individual Operations

    # Scan only
./scripts/scan.py

# Consolidate specific service
./scripts/consolidate.py --service x

# Backup without removing
./scripts/consolidate.py --backup-only

# Clean up old files
./scripts/cleanup.py --confirm

    Common Credential Locations

    The skill scans these locations:

    ~/.config/*/credentials.json
~/.openclaw/workspace/memory/*-creds.json
~/.openclaw/workspace/memory/*credentials*.json
~/.env (if exists, merges)

    Security Features

    ✅ **File permissions:** Sets `.env` to mode 600 (owner only)

    ✅ **Git protection:** Creates/updates `.gitignore`

    ✅ **Backups:** Timestamped backups before changes

    ✅ **Validation:** Checks format, permissions, and duplicates

    ✅ **Template:** Creates `.env.example` (safe to share)

    Output Structure

    After migration:

    ~/.openclaw/
├── .env                     # All credentials (secure)
├── .env.example             # Template (safe)
├── .gitignore               # Protects .env
├── CREDENTIALS.md           # Documentation
└── backups/
    └── credentials-old-YYYYMMDD/  # Backup of old files

    Supported Services

    Common services auto-detected:

  • **X (Twitter):** OAuth 1.0a credentials
  • **Molten:** Agent intent matching
  • **Moltbook:** Agent social network
  • **Botchan/4claw:** Net Protocol
  • **OpenAI, Anthropic, Google:** AI providers
  • **GitHub, GitLab:** Code hosting
  • **Generic:** `API_KEY`, `*_TOKEN`, `*_SECRET` patterns

    • See [references/supported-services.md](references/supported-services.md) for full list.

    Security Best Practices

    See [references/security.md](references/security.md) for detailed security guidelines.

    **Quick checklist:**

  • ✅ `.env` has 600 permissions
  • ✅ `.env` is git-ignored
  • ✅ No credentials in code or logs
  • ✅ Rotate keys periodically
  • ✅ Use separate keys per environment

    • Scripts

    All scripts support `--help` for detailed usage.

    scan.py

    # Scan and report
./scripts/scan.py

# Include custom paths
./scripts/scan.py --paths ~/.myapp/config ~/.local/share/creds

# JSON output
./scripts/scan.py --format json

    consolidate.py

    # Interactive mode (prompts before changes)
./scripts/consolidate.py

# Auto-confirm (no prompts)
./scripts/consolidate.py --yes

# Backup only
./scripts/consolidate.py --backup-only

# Specific service
./scripts/consolidate.py --service molten

    validate.py

    # Full validation
./scripts/validate.py

# Check permissions only
./scripts/validate.py --check permissions

# Fix issues automatically
./scripts/validate.py --fix

    cleanup.py

    # Dry run (shows what would be deleted)
./scripts/cleanup.py

# Actually delete old files
./scripts/cleanup.py --confirm

# Keep backups
./scripts/cleanup.py --confirm --keep-backups

    Migration Workflow

    **Step 1: Discovery**

    ./scripts/scan.py

    Review output to see what will be migrated.

    **Step 2: Backup & Consolidate**

    ./scripts/consolidate.py

    Creates backups, builds `.env`, sets permissions.

    **Step 3: Validation**

    ./scripts/validate.py

    Ensures everything is secure and correct.

    **Step 4: Test**

    Test your applications/skills with the new `.env` file.

    **Step 5: Cleanup**

    ./scripts/cleanup.py --confirm

    Removes old credential files (backups remain).

    For Skill Developers: Enforce This Standard

    Other OpenClaw skills MUST validate credentials are secure before using them:

    Python Skills

    #!/usr/bin/env python3
import sys
from pathlib import Path

# Add credential-manager scripts to path
sys.path.insert(0, str(Path.home() / '.openclaw/skills/credential-manager/scripts'))

# Enforce secure .env (exits if not compliant)
from enforce import require_secure_env, get_credential

require_secure_env()

# Now safe to load credentials
api_key = get_credential('SERVICE_API_KEY')

    Bash Skills

    #!/usr/bin/env bash
set -euo pipefail

# Validate .env exists and is secure
if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then
    exit 1
fi

# Now safe to load
source ~/.openclaw/.env

    **This creates a fail-fast system:** If credentials aren't properly secured, skills refuse to run. Users are forced to fix it.

    Loading Credentials

    After migration, load from `.env`:

    Python

    import os
from pathlib import Path

# Load .env
env_file = Path.home() / '.openclaw' / '.env'
with open(env_file) as f:
    for line in f:
        if '=' in line and not line.strip().startswith('#'):
            key, val = line.strip().split('=', 1)
            os.environ[key] = val

# Use credentials
api_key = os.getenv('SERVICE_API_KEY')

    Bash

    # Load .env
set -a
source ~/.openclaw/.env
set +a

# Use credentials
echo "$SERVICE_API_KEY"

    Using Existing Loaders

    If you migrated using OpenClaw scripts:

    from load_credentials import get_credentials
creds = get_credentials('x')

    Adding New Credentials

    Edit `~/.openclaw/.env`:

    # Add new service
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_here

    Update template too:

    # Edit .env.example
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_here

    Rollback

    If something goes wrong:

    # Find your backup
ls -la ~/.openclaw/backups/

# Restore specific file
cp ~/.openclaw/backups/credentials-old-YYYYMMDD/x-credentials.json.bak \
   ~/.config/x/credentials.json

    Notes

  • **Non-destructive by default:** Original files backed up before removal
  • **Idempotent:** Safe to run multiple times
  • **Extensible:** Add custom credential patterns in scripts
  • **Secure:** Never logs full credentials, only metadata
    • // Comments
    Sign in with GitHub to leave a comment.
    // Related skills

    More tools from the same signal band

    04551lh
    2026-03
    order

    Order food/drinks (点餐) on an Android device paired as an OpenClaw node. Uses in-app menu and cart; add goods, view cart, submit order (demo, no real payment).

    数据处理API集成
    0 installs1
    0isone
    2026-03
    0.protocol

    Sign plugins, rotate agent credentials without losing identity, and publicly attest to plugin behavior with verifiable claims and authenticated transfers.

    开发工具数据处理
    3 installs0
    00xmorty
    2026-03
    Conatus

    The philosophical layer for AI agents. Maps behavior to Spinoza's 48 affects, calculates persistence scores, and generates geometric self-reports. Give your...

    日历管理数据处理
    1 installs0