credential-managerMANDATORY security foundation for OpenClaw. Consolidate scattered API keys and credentials into a secure .env file with proper permissions. Use when setting up OpenClaw, migrating credentials, auditing security, or enforcing the .env standard. This is not optional ā centralized credential management is a core requirement for secure OpenClaw deployments. Scans for credential files across common locations, backs up existing files, creates a unified .env with mode 600, validates security, and enforces best practices.
Install via ClawdBot CLI:
clawdbot install Callmedas69/credential-managerSTATUS: MANDATORY SECURITY FOUNDATION
Consolidate scattered API keys and credentials into a secure, centralized .env file.
Centralized .env credential management is a core requirement for OpenClaw security. If your credentials are scattered across multiple files, stop and consolidate them now.
THE RULE: All credentials MUST be in ~/.openclaw/.env ONLY. No workspace, no skills, no scripts directories.
See:
Every OpenClaw deployment MUST have:
~/.openclaw/.env (mode 600)This is your single source of truth for all credentials. No exceptions.
Why?
Scattered credentials = scattered attack surface. This skill fixes that.
~/.openclaw/.envThe skill automatically detects credentials by scanning for:
File Patterns:
credentials.json files in config directories.env files-creds or credentials in the nameSensitive Key Patterns:
Security Checks:
600)# Scan for credentials
./scripts/scan.py
# Review and consolidate
./scripts/consolidate.py
# Validate security
./scripts/validate.py# Scan only
./scripts/scan.py
# Consolidate specific service
./scripts/consolidate.py --service x
# Backup without removing
./scripts/consolidate.py --backup-only
# Clean up old files
./scripts/cleanup.py --confirmThe skill scans these locations:
~/.config/*/credentials.json
~/.openclaw/workspace/memory/*-creds.json
~/.openclaw/workspace/memory/*credentials*.json
~/.env (if exists, merges)ā
File permissions: Sets .env to mode 600 (owner only)
ā
Git protection: Creates/updates .gitignore
ā Backups: Timestamped backups before changes
ā Validation: Checks format, permissions, and duplicates
ā
Template: Creates .env.example (safe to share)
After migration:
~/.openclaw/
āāā .env # All credentials (secure)
āāā .env.example # Template (safe)
āāā .gitignore # Protects .env
āāā CREDENTIALS.md # Documentation
āāā backups/
āāā credentials-old-YYYYMMDD/ # Backup of old filesCommon services auto-detected:
API_KEY, _TOKEN, _SECRET patternsSee references/supported-services.md for full list.
See references/security.md for detailed security guidelines.
Quick checklist:
.env has 600 permissions.env is git-ignoredAll scripts support --help for detailed usage.
# Scan and report
./scripts/scan.py
# Include custom paths
./scripts/scan.py --paths ~/.myapp/config ~/.local/share/creds
# JSON output
./scripts/scan.py --format json# Interactive mode (prompts before changes)
./scripts/consolidate.py
# Auto-confirm (no prompts)
./scripts/consolidate.py --yes
# Backup only
./scripts/consolidate.py --backup-only
# Specific service
./scripts/consolidate.py --service molten# Full validation
./scripts/validate.py
# Check permissions only
./scripts/validate.py --check permissions
# Fix issues automatically
./scripts/validate.py --fix# Dry run (shows what would be deleted)
./scripts/cleanup.py
# Actually delete old files
./scripts/cleanup.py --confirm
# Keep backups
./scripts/cleanup.py --confirm --keep-backupsStep 1: Discovery
./scripts/scan.pyReview output to see what will be migrated.
Step 2: Backup & Consolidate
./scripts/consolidate.pyCreates backups, builds .env, sets permissions.
Step 3: Validation
./scripts/validate.pyEnsures everything is secure and correct.
Step 4: Test
Test your applications/skills with the new .env file.
Step 5: Cleanup
./scripts/cleanup.py --confirmRemoves old credential files (backups remain).
Other OpenClaw skills MUST validate credentials are secure before using them:
#!/usr/bin/env python3
import sys
from pathlib import Path
# Add credential-manager scripts to path
sys.path.insert(0, str(Path.home() / '.openclaw/skills/credential-manager/scripts'))
# Enforce secure .env (exits if not compliant)
from enforce import require_secure_env, get_credential
require_secure_env()
# Now safe to load credentials
api_key = get_credential('SERVICE_API_KEY')#!/usr/bin/env bash
set -euo pipefail
# Validate .env exists and is secure
if ! python3 ~/.openclaw/skills/credential-manager/scripts/enforce.py; then
exit 1
fi
# Now safe to load
source ~/.openclaw/.envThis creates a fail-fast system: If credentials aren't properly secured, skills refuse to run. Users are forced to fix it.
After migration, load from .env:
import os
from pathlib import Path
# Load .env
env_file = Path.home() / '.openclaw' / '.env'
with open(env_file) as f:
for line in f:
if '=' in line and not line.strip().startswith('#'):
key, val = line.strip().split('=', 1)
os.environ[key] = val
# Use credentials
api_key = os.getenv('SERVICE_API_KEY')# Load .env
set -a
source ~/.openclaw/.env
set +a
# Use credentials
echo "$SERVICE_API_KEY"If you migrated using OpenClaw scripts:
from load_credentials import get_credentials
creds = get_credentials('x')Edit ~/.openclaw/.env:
# Add new service
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_hereUpdate template too:
# Edit .env.example
NEW_SERVICE_API_KEY=your_key_here
NEW_SERVICE_SECRET=your_secret_hereIf something goes wrong:
# Find your backup
ls -la ~/.openclaw/backups/
# Restore specific file
cp ~/.openclaw/backups/credentials-old-YYYYMMDD/x-credentials.json.bak \
~/.config/x/credentials.jsonGenerated Mar 1, 2026
A tech startup is building an AI application with OpenClaw and needs to securely manage API keys for multiple AI providers and services. This skill consolidates scattered credentials from development environments into a single secure .env file, ensuring compliance with security best practices from day one.
A large enterprise is auditing its OpenClaw deployment for security vulnerabilities related to credential management. This skill scans for scattered credential files, validates permissions, and enforces centralized storage to reduce attack surface and meet internal security policies.
A DevOps team is migrating legacy applications to OpenClaw and needs to transition credentials from old config files to a standardized .env format. This skill automates backup, consolidation, and validation, streamlining the migration while maintaining security integrity.
A freelance developer works with multiple clients using OpenClaw and must keep each client's credentials separate and secure. This skill helps create and manage distinct .env files per project, enforcing permissions and preventing accidental exposure across workspaces.
A university AI lab uses OpenClaw for research and teaching, requiring students to manage credentials safely. This skill provides a structured way to consolidate and validate credentials, teaching security fundamentals while protecting sensitive API keys from misuse.
Offer credential management as part of a broader security service for OpenClaw deployments, charging subscription fees for ongoing audits, consolidation, and compliance monitoring. This model targets enterprises needing continuous security oversight.
Provide professional services to help organizations migrate scattered credentials to centralized .env files using this skill, including custom scripting and training. This model appeals to companies lacking in-house security expertise.
Monetize by offering premium support, custom integrations, or enhanced features built on top of the open-source skill, such as advanced scanning for niche services or automated key rotation tools.
š¬ Integration Tip
Integrate this skill early in your OpenClaw setup process to avoid scattered credentials; use the scan.py script first to identify existing issues before consolidation.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.